diff options
214 files changed, 8564 insertions, 1455 deletions
diff --git a/Gemfile b/Gemfile deleted file mode 100644 index 302ef415..00000000 --- a/Gemfile +++ /dev/null @@ -1,24 +0,0 @@ -source 'https://rubygems.org' - -group :development, :test do - gem 'puppetlabs_spec_helper', :require => false - - gem 'puppet-lint', '~> 1.1' - gem 'puppet-lint-absolute_classname-check' - gem 'puppet-lint-absolute_template_path' - gem 'puppet-lint-trailing_newline-check' - - # Puppet 4.x related lint checks - gem 'puppet-lint-unquoted_string-check' - gem 'puppet-lint-leading_zero-check' - gem 'puppet-lint-variable_contains_upcase' - gem 'puppet-lint-numericvariable' -end - -if puppetversion = ENV['PUPPET_GEM_VERSION'] - gem 'puppet', puppetversion, :require => false -else - gem 'puppet', :require => false -end - -# vim:ft=ruby @@ -116,5 +116,11 @@ and should be executed according to the following table: +----------------+-------------+-------------+-------------+-------------+-----------------+ | zaqar | | X | | | | +----------------+-------------+-------------+-------------+-------------+-----------------+ +| ec2api | | X | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ | cephrgw | | X | | X | | +----------------+-------------+-------------+-------------+-------------+-----------------+ +| tacker | X | | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ +| congress | X | | | | | ++----------------+-------------+-------------+-------------+-------------+-----------------+ diff --git a/Rakefile b/Rakefile deleted file mode 100644 index bca6a6c2..00000000 --- a/Rakefile +++ /dev/null @@ -1,6 +0,0 @@ -require 'puppetlabs_spec_helper/rake_tasks' -require 'puppet-lint/tasks/puppet-lint' - -PuppetLint.configuration.fail_on_warnings = true -PuppetLint.configuration.send('disable_80chars') -PuppetLint.configuration.send('disable_autoloader_layout') diff --git a/capabilities-map.yaml b/capabilities-map.yaml index d46a9fdb..cc22ff92 100644 --- a/capabilities-map.yaml +++ b/capabilities-map.yaml @@ -370,6 +370,11 @@ topics: description: Enable C-Fabric in the overcloud requires: - overcloud-resource-registry-puppet.yaml + - file: environments/neutron-ml2-fujitsu-fossw.yaml + title: Fujitsu Neutron plugin for FOS + description: Enable FOS in the overcloud + requires: + - overcloud-resource-registry-puppet.yaml - title: Nova Extensions description: @@ -408,10 +413,10 @@ topics: requires: - overcloud-resource-registry-puppet.yaml - file: environments/cinder-dellsc-config.yaml - title: Cinder Dell Storage Center ISCSI backend + title: Cinder Dell EMC Storage Center ISCSI backend description: > - Enables a Cinder Dell Storage Center ISCSI backend, configured - via puppet + Enables a Cinder Dell EMC Storage Center ISCSI backend, + configured via puppet requires: - overcloud-resource-registry-puppet.yaml - file: environments/cinder-hpelefthand-config.yaml @@ -421,42 +426,77 @@ topics: via puppet requires: - overcloud-resource-registry-puppet.yaml - - file: environments/cinder-eqlx-config.yaml - title: Cinder EQLX backend + - file: environments/cinder-dellps-config.yaml + title: Cinder Dell EMC PS Series backend description: > - Enables a Cinder EQLX backend, configured via puppet + Enables a Cinder Dell EMC PS Series backend, + configured via puppet requires: - overcloud-resource-registry-puppet.yaml - file: environments/cinder-iser.yaml title: Cinder iSER backend description: > Enable a Cinder iSER RDMA backend, configured via puppet + - file: environments/cinder-scaleio-config.yaml + title: Cinder Dell EMC ScaleIO backend + description: > + Enables a Cinder Dell EMC ScaleIO backend, + configured via puppet requires: - overcloud-resource-registry-puppet.yaml - - title: Externally managed Ceph + - title: Ceph description: > - Enable the use of an externally managed Ceph cluster + Enable the use of Ceph in the overcloud environments: - file: environments/puppet-ceph-external.yaml title: Externally managed Ceph - description: + description: > + Configures the overcloud to use an externally managed Ceph cluster, via RBD driver. requires: - overcloud-resource-registry-puppet.yaml - - title: Ceph Devel + - file: environments/puppet-ceph.yaml + title: TripleO managed Ceph + description: > + Deploys a Ceph cluster via TripleO, requires at lease one CephStorage node or + use of hyperconverged-ceph.yaml environment for the HCI scenario, where CephOSD is + colocated with NovaCompute and configures the overcloud to use it, via RBD driver. + requires: + - overcloud-resource-registry-puppet.yaml + - title: CephMDS description: > - Enable a Ceph storage cluster using the controller and 2 ceph nodes. - Rbd backends are enabled for Cinder, Glance, and Nova. + Deploys CephMDS via TripleO, an additional Ceph service needed to create shared + filesystems hosted in Ceph. environments: - - file: environments/puppet-ceph-devel.yaml - title: Ceph Devel + - file: environments/services/ceph-mds.yaml + title: Deploys CephMDS description: requires: + - environments/puppet-ceph.yaml + - title: Ceph Rados Gateway + description: > + Deploys CephRGW via TripleO, transparently replaces Swift providing a compatible API + which stores data in the Ceph cluster. + environments: + - file: environments/ceph-radosgw.yaml + title: Deploys CephRGW + description: + requires: + - environments/puppet-ceph.yaml + - title: Manila with CephFS + description: > + Deploys Manila and configures it with the CephFS driver. This requires the deployment of + Ceph and CephMDS from TripleO or the use of an external Ceph cluster for the overcloud. + environments: + - file: environments/manila-cephfsnative-config.yaml + title: Deploys Manila with CephFS driver + description: Deploys Manila and configures CephFS as its default backend. + requires: - overcloud-resource-registry-puppet.yaml - title: Storage Environment description: > Can be used to set up storage backends. Defaults to Ceph used as a - backend for Cinder, Glance and Nova ephemeral storage. It configures - for example which services will use Ceph, or if any of the services + backend for Cinder, Glance, Nova ephemeral storage and Gnocchi. It + configures which services will use Ceph, or if any of the services will use NFS. And more. Usually requires to be edited by user first. tags: - no-gui @@ -532,3 +572,31 @@ topics: description: requires: - overcloud-resource-registry-puppet.yaml + + - title: Security Options + description: Security Hardening Options + environment_groups: + - title: SSH Banner Text + description: Enables population of SSH Banner Text + environments: + - file: environments/sshd-banner.yaml + title: SSH Banner Text + description: + requires: + - overcloud-resource-registry-puppet.yaml + - title: Horizon Password Validation + description: Enable Horizon Password validation + environments: + - file: environments/horizon_password_validation.yaml + title: Horizon Password Validation + description: + requires: + - overcloud-resource-registry-puppet.yaml + - title: AuditD Rules + description: Management of AuditD rules + environments: + - file: environments/auditd.yaml + title: AuditD Rule Management + description: + requires: + - overcloud-resource-registry-puppet.yaml diff --git a/ci/common/net-config-multinode-os-net-config.yaml b/ci/common/net-config-multinode-os-net-config.yaml new file mode 100644 index 00000000..8c50b641 --- /dev/null +++ b/ci/common/net-config-multinode-os-net-config.yaml @@ -0,0 +1,114 @@ +heat_template_version: ocata + +description: > + Software Config to drive os-net-config for a simple bridge configured + with a static IP address for the ctlplane network. + +parameters: + ControlPlaneIp: + default: '' + description: IP address/subnet on the ctlplane network + type: string + ExternalIpSubnet: + default: '' + description: IP address/subnet on the external network + type: string + InternalApiIpSubnet: + default: '' + description: IP address/subnet on the internal API network + type: string + StorageIpSubnet: + default: '' + description: IP address/subnet on the storage network + type: string + StorageMgmtIpSubnet: + default: '' + description: IP address/subnet on the storage mgmt network + type: string + TenantIpSubnet: + default: '' + description: IP address/subnet on the tenant network + type: string + ManagementIpSubnet: + default: '' + description: IP address/subnet on the management network + type: string + ControlPlaneSubnetCidr: # Override this via parameter_defaults + default: '24' + description: The subnet CIDR of the control plane network. + type: string + OvSBridgeMtu: + default: 1300 + description: The mtu of the OvS bridge + type: number + +resources: + + OsNetConfigImpl: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: + list_join: + - '' + - - | + #!/bin/bash + function network_config_hook { + primary_private_ip=$(cat /etc/nodepool/primary_node_private) + sed -i "s/primary_private_ip/$primary_private_ip/" /etc/os-net-config/config.json + subnode_private_ip=$(cat /etc/nodepool/node_private) + sed -i "s/subnode_private_ip/$subnode_private_ip/" /etc/os-net-config/config.json + # We start with an arbitrarily high vni key so that we don't + # overlap with Neutron created values. These will also match the + # values that we've been using previously from the devstack-gate + # code. + vni=1000002 + subnode_index=$(grep -n $(cat /etc/nodepool/node_private) /etc/nodepool/sub_nodes_private | cut -d: -f1) + let vni+=$subnode_index + sed -i "s/vni/$vni/" /etc/os-net-config/config.json + export interface_name="br-ex_$primary_private_ip" + # Until we are fully migrated to os-net-config we need to clean + # up the old bridge first created by devstack-gate + ovs-vsctl del-br br-ex + } + + - + str_replace: + template: + get_file: ../../network/scripts/run-os-net-config.sh + params: + $network_config: + network_config: + - type: ovs_bridge + name: bridge_name + mtu: + get_param: OvSBridgeMtu + use_dhcp: false + addresses: + - ip_netmask: + list_join: + - "/" + - - get_param: ControlPlaneIp + - get_param: ControlPlaneSubnetCidr + members: + - type: ovs_tunnel + name: interface_name + tunnel_type: vxlan + ovs_options: + - list_join: + - "=" + - - key + - vni + - list_join: + - "=" + - - remote_ip + - primary_private_ip + - list_join: + - "=" + - - local_ip + - subnode_private_ip + +outputs: + OS::stack_id: + description: The OsNetConfigImpl resource. + value: {get_resource: OsNetConfigImpl} diff --git a/ci/common/net-config-multinode.yaml b/ci/common/net-config-multinode.yaml index bf947d3e..dc31235a 100644 --- a/ci/common/net-config-multinode.yaml +++ b/ci/common/net-config-multinode.yaml @@ -47,7 +47,9 @@ resources: str_replace: template: | #!/bin/bash - ip addr add CONTROLPLANEIP/CONTROLPLANESUBNETCIDR dev $bridge_name + if ! ip addr show dev $bridge_name | grep CONTROLPLANEIP/CONTROLPLANESUBNETCIDR; then + ip addr add CONTROLPLANEIP/CONTROLPLANESUBNETCIDR dev $bridge_name + fi params: CONTROLPLANEIP: {get_param: ControlPlaneIp} CONTROLPLANESUBNETCIDR: {get_param: ControlPlaneSubnetCidr} diff --git a/ci/environments/multinode-3nodes.yaml b/ci/environments/multinode-3nodes.yaml new file mode 100644 index 00000000..f35a0804 --- /dev/null +++ b/ci/environments/multinode-3nodes.yaml @@ -0,0 +1,77 @@ +# Specifies which roles (groups of nodes) will be deployed +# Note this is used as an input to the various *.j2.yaml +# jinja2 templates, so that they are converted into *.yaml +# during the plan creation (via a mistral action/workflow). +# +# The format is a list, with the following format: +# +# * name: (string) mandatory, name of the role, must be unique +# +# CountDefault: (number) optional, default number of nodes, defaults to 0 +# sets the default for the {{role.name}}Count parameter in overcloud.yaml +# +# HostnameFormatDefault: (string) optional default format string for hostname +# defaults to '%stackname%-{{role.name.lower()}}-%index%' +# sets the default for {{role.name}}HostnameFormat parameter in overcloud.yaml +# +# ServicesDefault: (list) optional default list of services to be deployed +# on the role, defaults to an empty list. Sets the default for the +# {{role.name}}Services parameter in overcloud.yaml + +- name: ControllerApi + CountDefault: 1 + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::CinderApi + - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::Core + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronL3Agent + - OS::TripleO::Services::NeutronMetadataAgent + - OS::TripleO::Services::NeutronApi + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronOvsAgent + - OS::TripleO::Services::NovaConductor + - OS::TripleO::Services::NovaApi + - OS::TripleO::Services::NovaPlacement + - OS::TripleO::Services::NovaMetadata + - OS::TripleO::Services::NovaScheduler + - OS::TripleO::Services::NovaConsoleauth + - OS::TripleO::Services::NovaVncProxy + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + +- name: Controller + CountDefault: 1 + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::CinderBackup + - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Core + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Pacemaker + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall diff --git a/ci/environments/multinode.yaml b/ci/environments/multinode.yaml new file mode 100644 index 00000000..212f6a23 --- /dev/null +++ b/ci/environments/multinode.yaml @@ -0,0 +1,48 @@ +resource_registry: + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + +parameter_defaults: + ControllerServices: + - OS::TripleO::Services::CinderApi + - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronL3Agent + - OS::TripleO::Services::NeutronMetadataAgent + - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronOvsAgent + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Pacemaker + - OS::TripleO::Services::NovaConductor + - OS::TripleO::Services::NovaApi + - OS::TripleO::Services::NovaPlacement + - OS::TripleO::Services::NovaMetadata + - OS::TripleO::Services::NovaScheduler + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + ControllerExtraConfig: + nova::compute::libvirt::services::libvirt_virt_type: qemu + nova::compute::libvirt::libvirt_virt_type: qemu + # Required for Centos 7.3 and Qemu 2.6.0 + nova::compute::libvirt::libvirt_cpu_mode: 'none' + SwiftCeilometerPipelineEnabled: False + Debug: True diff --git a/ci/environments/multinode_major_upgrade.yaml b/ci/environments/multinode_major_upgrade.yaml new file mode 100644 index 00000000..56d04de5 --- /dev/null +++ b/ci/environments/multinode_major_upgrade.yaml @@ -0,0 +1,48 @@ +resource_registry: + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Services::Core: multinode-core.yaml + +parameter_defaults: + ControllerServices: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::Core + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::GlanceRegistry + - OS::TripleO::Services::NeutronDhcpAgent + - OS::TripleO::Services::NeutronL3Agent + - OS::TripleO::Services::NeutronMetadataAgent + - OS::TripleO::Services::NeutronServer + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::NeutronOvsAgent + - OS::TripleO::Services::CinderApi + - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::SaharaApi + - OS::TripleO::Services::SaharaEngine + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + ControllerExtraConfig: + nova::compute::libvirt::services::libvirt_virt_type: qemu + nova::compute::libvirt::libvirt_virt_type: qemu + # Required for Centos 7.3 and Qemu 2.6.0 + nova::compute::libvirt::libvirt_cpu_mode: 'none' + heat::rpc_response_timeout: 600 + SwiftCeilometerPipelineEnabled: False + Debug: True diff --git a/ci/environments/scenario001-multinode.yaml b/ci/environments/scenario001-multinode.yaml index db6967e0..72e25704 100644 --- a/ci/environments/scenario001-multinode.yaml +++ b/ci/environments/scenario001-multinode.yaml @@ -1,10 +1,13 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::CephMon: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-mon.yaml OS::TripleO::Services::CephOSD: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-osd.yaml OS::TripleO::Services::CephClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-client.yaml OS::TripleO::Services::PankoApi: /usr/share/openstack-tripleo-heat-templates/puppet/services/panko-api.yaml + OS::TripleO::Services::Collectd: /usr/share/openstack-tripleo-heat-templates/puppet/services/metrics/collectd.yaml + OS::TripleO::Services::Tacker: /usr/share/openstack-tripleo-heat-templates/puppet/services/tacker.yaml + OS::TripleO::Services::Congress: /usr/share/openstack-tripleo-heat-templates/puppet/services/congress.yaml parameter_defaults: ControllerServices: @@ -34,6 +37,7 @@ parameter_defaults: - OS::TripleO::Services::NovaScheduler - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt @@ -59,6 +63,11 @@ parameter_defaults: - OS::TripleO::Services::CinderBackup - OS::TripleO::Services::CinderScheduler - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Collectd + - OS::TripleO::Services::Tacker + - OS::TripleO::Services::Congress + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu @@ -81,3 +90,14 @@ parameter_defaults: GlanceBackend: rbd GnocchiBackend: rbd CinderEnableIscsiBackend: false + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** + CollectdExtraPlugins: + - rrdtool diff --git a/ci/environments/scenario002-multinode.yaml b/ci/environments/scenario002-multinode.yaml index 636b3a26..bf4721e2 100644 --- a/ci/environments/scenario002-multinode.yaml +++ b/ci/environments/scenario002-multinode.yaml @@ -1,8 +1,9 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::BarbicanApi: ../../puppet/services/barbican-api.yaml OS::TripleO::Services::Zaqar: ../../puppet/services/zaqar.yaml + OS::TripleO::Services::Ec2Api: ../../puppet/services/ec2-api.yaml parameter_defaults: ControllerServices: @@ -45,6 +46,9 @@ parameter_defaults: - OS::TripleO::Services::BarbicanApi - OS::TripleO::Services::MongoDb - OS::TripleO::Services::Zaqar + - OS::TripleO::Services::Ec2Api + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario003-multinode.yaml b/ci/environments/scenario003-multinode.yaml index 08e4d19f..9167010c 100644 --- a/ci/environments/scenario003-multinode.yaml +++ b/ci/environments/scenario003-multinode.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::SaharaApi: ../../puppet/services/sahara-api.yaml OS::TripleO::Services::SaharaEngine: ../../puppet/services/sahara-engine.yaml OS::TripleO::Services::MistralApi: ../../puppet/services/mistral-api.yaml @@ -43,6 +43,8 @@ parameter_defaults: - OS::TripleO::Services::MistralApi - OS::TripleO::Services::MistralEngine - OS::TripleO::Services::MistralExecutor + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/environments/scenario004-multinode.yaml b/ci/environments/scenario004-multinode.yaml index e97113b0..87b10ca1 100644 --- a/ci/environments/scenario004-multinode.yaml +++ b/ci/environments/scenario004-multinode.yaml @@ -1,6 +1,6 @@ resource_registry: - OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode.yaml - OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode.yaml + OS::TripleO::Controller::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml + OS::TripleO::Compute::Net::SoftwareConfig: ../common/net-config-multinode-os-net-config.yaml OS::TripleO::Services::CephMon: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-mon.yaml OS::TripleO::Services::CephOSD: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-osd.yaml OS::TripleO::Services::CephClient: /usr/share/openstack-tripleo-heat-templates/puppet/services/ceph-client.yaml @@ -44,6 +44,8 @@ parameter_defaults: - OS::TripleO::Services::CephOSD - OS::TripleO::Services::CephClient - OS::TripleO::Services::CephRgw + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall ControllerExtraConfig: nova::compute::libvirt::services::libvirt_virt_type: qemu nova::compute::libvirt::libvirt_virt_type: qemu diff --git a/ci/pingtests/scenario002-multinode.yaml b/ci/pingtests/scenario002-multinode.yaml index 7af1ba0c..da1ae60c 100644 --- a/ci/pingtests/scenario002-multinode.yaml +++ b/ci/pingtests/scenario002-multinode.yaml @@ -81,7 +81,7 @@ resources: type: OS::Cinder::EncryptedVolumeType properties: volume_type: {get_resource: luks_volume_type} - provider: nova.volume.encryptors.luks.LuksEncryptor + provider: luks cipher: aes-xts-plain64 control_location: front-end key_size: 256 diff --git a/ci/pingtests/tenantvm_floatingip.yaml b/ci/pingtests/tenantvm_floatingip.yaml new file mode 100644 index 00000000..b910d6c1 --- /dev/null +++ b/ci/pingtests/tenantvm_floatingip.yaml @@ -0,0 +1,142 @@ +heat_template_version: ocata + +description: > + This template resides in tripleo-ci for Mitaka CI jobs only. + For Newton and beyond, please look in THT. + HOT template to create a new neutron network plus a router to the public + network, and for deploying a server into the new network. The template also + assigns a floating IP address and sets security group rules. ADAPTED FROM + https://raw.githubusercontent.com/openstack/heat-templates/master/hot/servers_in_new_neutron_net.yaml +parameters: + key_name: + type: string + description: Name of keypair to assign to servers + default: 'pingtest_key' + image: + type: string + description: Name of image to use for servers + default: 'pingtest_image' + public_net_name: + type: string + default: 'nova' + description: > + ID or name of public network for which floating IP addresses will be allocated + private_net_name: + type: string + description: Name of private network to be created + default: 'default-net' + private_net_cidr: + type: string + description: Private network address (CIDR notation) + default: '192.168.2.0/24' + private_net_gateway: + type: string + description: Private network gateway address + default: '192.168.2.1' + private_net_pool_start: + type: string + description: Start of private network IP address allocation pool + default: '192.168.2.100' + private_net_pool_end: + type: string + default: '192.168.2.200' + description: End of private network IP address allocation pool + +resources: + + key_pair: + type: OS::Nova::KeyPair + properties: + save_private_key: true + name: {get_param: key_name } + + private_net: + type: OS::Neutron::Net + properties: + name: { get_param: private_net_name } + + private_subnet: + type: OS::Neutron::Subnet + properties: + network_id: { get_resource: private_net } + cidr: { get_param: private_net_cidr } + gateway_ip: { get_param: private_net_gateway } + allocation_pools: + - start: { get_param: private_net_pool_start } + end: { get_param: private_net_pool_end } + + router: + type: OS::Neutron::Router + properties: + external_gateway_info: + network: { get_param: public_net_name } + + router_interface: + type: OS::Neutron::RouterInterface + properties: + router_id: { get_resource: router } + subnet_id: { get_resource: private_subnet } + + volume1: + type: OS::Cinder::Volume + properties: + name: Volume1 + image: { get_param: image } + size: 1 + + server1: + type: OS::Nova::Server + depends_on: volume1 + properties: + name: Server1 + block_device_mapping: + - device_name: vda + volume_id: { get_resource: volume1 } + flavor: { get_resource: test_flavor } + key_name: { get_resource: key_pair } + networks: + - port: { get_resource: server1_port } + + server1_port: + type: OS::Neutron::Port + properties: + network_id: { get_resource: private_net } + fixed_ips: + - subnet_id: { get_resource: private_subnet } + security_groups: [{ get_resource: server_security_group }] + + server1_floating_ip: + type: OS::Neutron::FloatingIP + # TODO: investigate why we need this depends_on and if we could + # replace it by router_id with get_resource: router_interface + depends_on: router_interface + properties: + floating_network: { get_param: public_net_name } + port_id: { get_resource: server1_port } + + server_security_group: + type: OS::Neutron::SecurityGroup + properties: + description: Add security group rules for server + name: pingtest-security-group + rules: + - remote_ip_prefix: 0.0.0.0/0 + protocol: tcp + port_range_min: 22 + port_range_max: 22 + - remote_ip_prefix: 0.0.0.0/0 + protocol: icmp + + test_flavor: + type: OS::Nova::Flavor + properties: + ram: 512 + vcpus: 1 + +outputs: + server1_private_ip: + description: IP address of server1 in private network + value: { get_attr: [ server1, first_address ] } + server1_public_ip: + description: Floating IP address of server1 in public network + value: { get_attr: [ server1_floating_ip, floating_ip_address ] } diff --git a/ci/scripts/freeipa_setup.sh b/ci/scripts/freeipa_setup.sh index a36493a1..e699841f 100644 --- a/ci/scripts/freeipa_setup.sh +++ b/ci/scripts/freeipa_setup.sh @@ -10,6 +10,9 @@ # - HostsSecret # - ProvisioningCIDR: If set, it adds the given CIDR to the provisioning # interface (which is hardcoded to eth1) +# - UsingNovajoin: If unset, we pre-provision the service principals +# needed for the overcloud deploy. If set, we skip this, +# since novajoin will do it. # set -eux @@ -19,6 +22,15 @@ elif [ -f "/tmp/freeipa-setup.env" ]; then source /tmp/freeipa-setup.env fi +export Hostname=${Hostname:-""} +export FreeIPAIP=${FreeIPAIP:-""} +export DirectoryManagerPassword=${DirectoryManagerPassword:-""} +export AdminPassword=${AdminPassword:-""} +export UndercloudFQDN=${UndercloudFQDN:-""} +export HostsSecret=${HostsSecret:-""} +export ProvisioningCIDR=${ProvisioningCIDR:-""} +export UsingNovajoin=${UsingNovajoin:-""} + if [ -n "$ProvisioningCIDR" ]; then # Add address to provisioning network interface ip link set dev eth1 up @@ -82,7 +94,9 @@ rm -f /etc/httpd/conf.d/ssl.conf # Set up FreeIPA ipa-server-install -U -r `hostname -d|tr "[a-z]" "[A-Z]"` \ -p $DirectoryManagerPassword -a $AdminPassword \ - --hostname `hostname -f` + --hostname `hostname -f` \ + --ip-address=$FreeIPAIP \ + --setup-dns --auto-forwarders --auto-reverse # Authenticate echo $AdminPassword | kinit admin @@ -94,11 +108,13 @@ if [ "$?" = '1' ]; then exit 1 fi -# Create undercloud host -ipa host-add $UndercloudFQDN --password=$HostsSecret --force +if [ -z "$UsingNovajoin" ]; then + # Create undercloud host + ipa host-add $UndercloudFQDN --password=$HostsSecret --force -# Create overcloud nodes and services -git clone https://github.com/JAORMX/freeipa-tripleo-incubator.git -cd freeipa-tripleo-incubator -python create_ipa_tripleo_host_setup.py -w $HostsSecret -d $(hostname -d) \ - --controller-count 1 --compute-count 1 + # Create overcloud nodes and services + git clone https://github.com/JAORMX/freeipa-tripleo-incubator.git + cd freeipa-tripleo-incubator + python create_ipa_tripleo_host_setup.py -w $HostsSecret -d $(hostname -d) \ + --controller-count 1 --compute-count 1 +fi diff --git a/deployed-server/deployed-server-bootstrap-rhel.sh b/deployed-server/deployed-server-bootstrap-rhel.sh new file mode 100644 index 00000000..36ff0077 --- /dev/null +++ b/deployed-server/deployed-server-bootstrap-rhel.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -eux + +yum install -y \ + jq \ + python-ipaddr \ + openstack-puppet-modules \ + os-net-config \ + openvswitch \ + python-heat-agent* + +ln -s -f /usr/share/openstack-puppet/modules/* /etc/puppet/modules diff --git a/deployed-server/deployed-server-bootstrap-rhel.yaml b/deployed-server/deployed-server-bootstrap-rhel.yaml new file mode 100644 index 00000000..2d2f5156 --- /dev/null +++ b/deployed-server/deployed-server-bootstrap-rhel.yaml @@ -0,0 +1,22 @@ +heat_template_version: ocata + +description: 'Deployed Server Bootstrap Config' + +parameters: + + server: + type: string + +resources: + + DeployedServerBootstrapConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: {get_file: deployed-server-bootstrap-rhel.sh} + + DeployedServerBootstrapDeployment: + type: OS::Heat::SoftwareDeployment + properties: + config: {get_resource: DeployedServerBootstrapConfig} + server: {get_param: server} diff --git a/docker/copy-json.py b/docker/copy-json.py deleted file mode 100644 index e85ff11e..00000000 --- a/docker/copy-json.py +++ /dev/null @@ -1,72 +0,0 @@ -#!/bin/python -import json -import os - -data = {} -file_perms = '0600' -libvirt_perms = '0644' - -libvirt_config = os.getenv('libvirt_config').split(',') -nova_config = os.getenv('nova_config').split(',') -neutron_openvswitch_agent_config = os.getenv('neutron_openvswitch_agent_config').split(',') - -# Command, Config_files, Owner, Perms -services = { - 'nova-libvirt': [ - '/usr/sbin/libvirtd', - libvirt_config, - 'root', - libvirt_perms], - 'nova-compute': [ - '/usr/bin/nova-compute', - nova_config, - 'nova', - file_perms], - 'neutron-openvswitch-agent': [ - '/usr/bin/neutron-openvswitch-agent', - neutron_openvswitch_agent_config, - 'neutron', - file_perms], - 'ovs-vswitchd': [ - '/usr/sbin/ovs-vswitchd unix:/run/openvswitch/db.sock -vconsole:emer -vsyslog:err -vfile:info --mlockall --log-file=/var/log/kolla/openvswitch/ovs-vswitchd.log'], - 'ovsdb-server': [ - '/usr/sbin/ovsdb-server /etc/openvswitch/conf.db -vconsole:emer -vsyslog:err -vfile:info --remote=punix:/run/openvswitch/db.sock --remote=ptcp:6640:127.0.0.1 --log-file=/var/log/kolla/openvswitch/ovsdb-server.log'] -} - - -def build_config_files(config, owner, perms): - config_source = '/var/lib/kolla/config_files/' - config_files_dict = {} - source = os.path.basename(config) - dest = config - config_files_dict.update({'source': config_source + source, - 'dest': dest, - 'owner': owner, - 'perm': perms}) - return config_files_dict - - -for service in services: - if service != 'ovs-vswitchd' and service != 'ovsdb-server': - command = services.get(service)[0] - config_files = services.get(service)[1] - owner = services.get(service)[2] - perms = services.get(service)[3] - config_files_list = [] - for config_file in config_files: - if service == 'nova-libvirt': - command = command + ' --config ' + config_file - else: - command = command + ' --config-file ' + config_file - data['command'] = command - config_files_dict = build_config_files(config_file, owner, perms) - config_files_list.append(config_files_dict) - data['config_files'] = config_files_list - else: - data['command'] = services.get(service)[0] - data['config_files'] = [] - - json_config_dir = '/var/lib/etc-data/json-config/' - with open(json_config_dir + service + '.json', 'w') as json_file: - json.dump(data, json_file, sort_keys=True, indent=4, - separators=(',', ': ')) diff --git a/docker/post.j2.yaml b/docker/post.j2.yaml index 1ba96e27..dfa8ac2e 100644 --- a/docker/post.j2.yaml +++ b/docker/post.j2.yaml @@ -8,7 +8,6 @@ parameters: servers: type: json description: Mapping of Role name e.g Controller to a list of servers - role_data: type: json description: Mapping of Role name e.g Controller to the per-role data @@ -19,23 +18,11 @@ parameters: description: > Setting this to a unique value will re-run any deployment tasks which perform configuration on a Heat stack-update. - - DockerNamespace: - description: namespace - default: 'tripleoupstream' - type: string - - LibvirtConfig: - type: string - default: "/etc/libvirt/libvirtd.conf" - - NovaConfig: - type: string - default: "/etc/nova/nova.conf,/etc/nova/rootwrap.conf" - - NeutronOpenvswitchAgentConfig: - type: string - default: "/etc/neutron/neutron.conf,/etc/neutron/plugins/ml2/openvswitch_agent.ini" + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json resources: @@ -174,31 +161,24 @@ resources: servers: {get_param: [servers, {{role.name}}]} config: {get_resource: CopyEtcConfig} - CopyJsonConfig: - type: OS::Heat::SoftwareConfig + {{role.name}}KollaJsonConfig: + type: OS::Heat::StructuredConfig + depends_on: CopyEtcDeployment properties: - group: script - inputs: - - name: libvirt_config - - name: nova_config - - name: neutron_openvswitch_agent_config - config: {get_file: ../docker/copy-json.py} + group: json-file + config: + {get_param: [role_data, {{role.name}}, kolla_config]} - CopyJsonDeployment: + {{role.name}}KollaJsonDeployment: type: OS::Heat::SoftwareDeploymentGroup - depends_on: CopyEtcDeployment properties: - name: CopyJsonDeployment - config: {get_resource: CopyJsonConfig} + name: {{role.name}}KollaJsonDeployment + config: {get_resource: {{role.name}}KollaJsonConfig} servers: {get_param: [servers, {{role.name}}]} - input_values: - libvirt_config: {get_param: LibvirtConfig} - nova_config: {get_param: NovaConfig} - neutron_openvswitch_agent_config: {get_param: NeutronOpenvswitchAgentConfig} {{role.name}}ContainersConfig_Step1: type: OS::Heat::StructuredConfig - depends_on: CopyJsonDeployment + depends_on: {{role.name}}KollaJsonDeployment properties: group: docker-cmd config: @@ -206,7 +186,7 @@ resources: {{role.name}}ContainersConfig_Step2: type: OS::Heat::StructuredConfig - depends_on: CopyJsonDeployment + depends_on: {{role.name}}KollaJsonDeployment properties: group: docker-cmd config: diff --git a/docker/services/README.rst b/docker/services/README.rst index 8d1f9e86..60719bfc 100644 --- a/docker/services/README.rst +++ b/docker/services/README.rst @@ -32,6 +32,11 @@ are re-asserted when applying latter ones. * config_settings: Custom hiera settings for this service. These are used to generate configs. + * kolla_config: Contains YAML that represents how to map config files + into the kolla container. This config file is typically mapped into + the container itself at the /var/lib/kolla/config_files/config.json + location and drives how kolla's external config mechanisms work. + * step_config: A puppet manifest that is used to step through the deployment sequence. Each sequence is given a "step" (via hiera('step') that provides information for when puppet classes should activate themselves. diff --git a/docker/services/neutron-ovs-agent.yaml b/docker/services/neutron-ovs-agent.yaml index 1c9e60db..0a061f6c 100644 --- a/docker/services/neutron-ovs-agent.yaml +++ b/docker/services/neutron-ovs-agent.yaml @@ -43,6 +43,22 @@ outputs: config_settings: {get_attr: [NeutronOvsAgentBase, role_data, config_settings]} step_config: {get_attr: [NeutronOvsAgentBase, role_data, step_config]} puppet_tags: neutron_config,neutron_agent_ovs,neutron_plugin_ml2 + kolla_config: + /var/lib/etc-data/json-config/neutron-openvswitch-agent.json: + command: /usr/bin/neutron-openvswitch-agent --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugins/ml2/openvswitch_agent.ini --config-file /etc/neutron/plugins/ml2/ml2_conf.ini + config_files: + - dest: /etc/neutron/neutron.conf + owner: neutron + perm: '0600' + source: /var/lib/kolla/config_files/neutron.conf + - dest: /etc/neutron/plugins/ml2/openvswitch_agent.ini + owner: neutron + perm: '0600' + source: /var/lib/kolla/config_files/openvswitch_agent.ini + - dest: /etc/neutron/plugins/ml2/ml2_conf.ini + owner: neutron + perm: '0600' + source: /var/lib/kolla/config_files/ml2_conf.ini docker_config: step_1: neutronovsagent: diff --git a/docker/services/nova-compute.yaml b/docker/services/nova-compute.yaml index c695c94d..e765609e 100644 --- a/docker/services/nova-compute.yaml +++ b/docker/services/nova-compute.yaml @@ -41,6 +41,18 @@ outputs: config_settings: {get_attr: [NovaComputeBase, role_data, config_settings]} step_config: {get_attr: [NovaComputeBase, role_data, step_config]} puppet_tags: nova_config,nova_paste_api_ini + kolla_config: + /var/lib/etc-data/json-config/nova-compute.json: + command: /usr/bin/nova-compute --config-file /etc/nova/nova.conf --config-file /etc/nova/rootwrap.conf + config_files: + - dest: /etc/nova/nova.conf + owner: nova + perm: '0600' + source: /var/lib/kolla/config_files/nova.conf + - dest: /etc/nova/rootwrap.conf + owner: nova + perm: '0600' + source: /var/lib/kolla/config_files/rootwrap.conf docker_config: step_1: novacompute: diff --git a/docker/services/nova-libvirt.yaml b/docker/services/nova-libvirt.yaml index a40a21fd..004d624a 100644 --- a/docker/services/nova-libvirt.yaml +++ b/docker/services/nova-libvirt.yaml @@ -41,6 +41,14 @@ outputs: config_settings: {get_attr: [NovaLibvirtBase, role_data, config_settings]} step_config: {get_attr: [NovaLibvirtBase, role_data, step_config]} puppet_tags: nova_config + kolla_config: + /var/lib/etc-data/json-config/nova-libvirt.json: + command: /usr/sbin/libvirtd --config /etc/libvirt/libvirtd.conf + config_files: + - dest: /etc/libvirt/libvirtd.conf + owner: root + perm: '0644' + source: /var/lib/kolla/config_files/libvirtd.conf docker_config: step_1: nova_libvirt: diff --git a/docker/services/services.yaml b/docker/services/services.yaml index 3d51eb19..8c31107f 100644 --- a/docker/services/services.yaml +++ b/docker/services/services.yaml @@ -68,6 +68,8 @@ outputs: step_config: {get_attr: [PuppetServices, role_data, step_config]} puppet_tags: {list_join: [",", {get_attr: [ServiceChain, role_data, puppet_tags]}]} + kolla_config: + map_merge: {get_attr: [ServiceChain, role_data, kolla_config]} docker_config: step_1: {map_merge: {get_attr: [ServiceChain, role_data, docker_config, step_1]}} step_2: {map_merge: {get_attr: [ServiceChain, role_data, docker_config, step_2]}} diff --git a/environments/auditd.yaml b/environments/auditd.yaml new file mode 100644 index 00000000..b358c98a --- /dev/null +++ b/environments/auditd.yaml @@ -0,0 +1,119 @@ +resource_registry: + OS::TripleO::Services::AuditD: ../puppet/services/auditd.yaml + +parameter_defaults: + AuditdRules: + 'Record attempts to alter time through adjtimex': + content: '-a always,exit -F arch=b64 -S adjtimex -k audit_time_rules' + order : 1 + 'Record attempts to alter time through settimeofday': + content: '-a always,exit -F arch=b64 -S settimeofday -k audit_time_rules' + order : 2 + 'Record Attempts to Alter Time Through stime': + content: '-a always,exit -F arch=b64 -S stime -k audit_time_rules' + order : 3 + 'Record Attempts to Alter Time Through clock_settime': + content: '-a always,exit -F arch=b64 -S clock_settime -k audit_time_rules' + order : 4 + 'Record Attempts to Alter the localtime File': + content: '-w /etc/localtime -p wa -k audit_time_rules' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chmod': + content: '-a always,exit -F arch=b64 -S chmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 5 + 'Record Events that Modify the Systems Discretionary Access Controls - chown': + content: '-a always,exit -F arch=b64 -S chown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 6 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmod': + content: '-a always,exit -F arch=b64 -S fchmod -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 7 + 'Record Events that Modify the Systems Discretionary Access Controls - fchmodat': + content: '-a always,exit -F arch=b64 -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 8 + 'Record Events that Modify the Systems Discretionary Access Controls - fchown': + content: '-a always,exit -F arch=b64 -S fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 9 + 'Record Events that Modify the Systems Discretionary Access Controls - fchownat': + content: '-a always,exit -F arch=b64 -S fchownat -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 10 + 'Record Events that Modify the Systems Discretionary Access Controls - fremovexattr': + content: '-a always,exit -F arch=b64 -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 11 + 'Record Events that Modify the Systems Discretionary Access Controls - fsetxattr': + content: '-a always,exit -F arch=b64 -S fsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 12 + 'Record Events that Modify the Systems Discretionary Access Controls - lchown': + content: '-a always,exit -F arch=b64 -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 13 + 'Record Events that Modify the Systems Discretionary Access Controls - lremovexattr': + content: '-a always,exit -F arch=b64 -S lremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 14 + 'Record Events that Modify the Systems Discretionary Access Controls - lsetxattr': + content: '-a always,exit -F arch=b64 -S lsetxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 15 + 'Record Events that Modify the Systems Discretionary Access Controls - removexattr': + content: '-a always,exit -F arch=b64 -S removexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 16 + 'Record Events that Modify the Systems Discretionary Access Controls - setxattr': + content: '-a always,exit -F arch=b64 -S setxattr -F auid>=1000 -F auid!=4294967295 -k perm_mod' + order : 17 + 'Record Events that Modify User/Group Information - /etc/group': + content: '-w /etc/group -p wa -k audit_rules_usergroup_modification' + order : 18 + 'Record Events that Modify User/Group Information - /etc/passwd': + content: '-w /etc/passwd -p wa -k audit_rules_usergroup_modification' + order : 19 + 'Record Events that Modify User/Group Information - /etc/gshadow': + content: '-w /etc/gshadow -p wa -k audit_rules_usergroup_modification' + order : 20 + 'Record Events that Modify User/Group Information - /etc/shadow': + content: '-w /etc/shadow -p wa -k audit_rules_usergroup_modification' + order : 21 + 'Record Events that Modify User/Group Information - /etc/opasswd': + content: '-w /etc/opasswd -p wa -k audit_rules_usergroup_modification' + order : 22 + 'Record Events that Modify the Systems Network Environment - sethostname / setdomainname': + content: '-a always,exit -F arch=b64 -S sethostname -S setdomainname -k audit_rules_networkconfig_modification' + order : 23 + 'Record Events that Modify the Systems Network Environment - /etc/issue': + content: '-w /etc/issue -p wa -k audit_rules_networkconfig_modification' + order : 24 + 'Record Events that Modify the Systems Network Environment - /etc/issue.net': + content: '-w /etc/issue.net -p wa -k audit_rules_networkconfig_modification' + order : 25 + 'Record Events that Modify the Systems Network Environment - /etc/hosts': + content: '-w /etc/hosts -p wa -k audit_rules_networkconfig_modification' + order : 26 + 'Record Events that Modify the Systems Network Environment - /etc/sysconfig/network': + content: '-w /etc/sysconfig/network -p wa -k audit_rules_networkconfig_modification' + order : 27 + 'Record Events that Modify the Systems Mandatory Access Controls': + content: '-w /etc/selinux/ -p wa -k MAC-policy' + order : 28 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EACCES)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access' + order : 29 + 'Ensure auditd Collects Unauthorized Access Attempts to Files (unsuccessful / EPERM)': + content: '-a always,exit -F arch=b64 -S creat -S open -S openat -S open_by_handle_at -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access' + order : 30 + 'Ensure auditd Collects Information on the Use of Privileged Commands': + content: '-a always,exit -F path=SETUID_PROG_PATH -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged' + order : 31 + 'Ensure auditd Collects Information on Exporting to Media (successful)': + content: '-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k export' + order : 32 + 'Ensure auditd Collects File Deletion Events by User': + content: '-a always,exit -F arch=b64 -S rmdir -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' + order : 33 + 'Ensure auditd Collects System Administrator Actions': + content: '-w /etc/sudoers -p wa -k actions' + order : 34 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (insmod)': + content: '-w /usr/sbin/insmod -p x -k modules' + order : 35 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (rmmod)': + content: '-w /usr/sbin/rmmod -p x -k modules' + order : 36 + 'Ensure auditd Collects Information on Kernel Module Loading and Unloading (modprobe)': + content: '-w /usr/sbin/modprobe -p x -k modules' + order : 37 diff --git a/environments/cinder-dellps-config.yaml b/environments/cinder-dellps-config.yaml new file mode 100644 index 00000000..eefd0fd6 --- /dev/null +++ b/environments/cinder-dellps-config.yaml @@ -0,0 +1,31 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# A Heat environment file which can be used to enable a +# a Cinder Dell EMC PS Series backend, configured via puppet +resource_registry: + OS::TripleO::Services::CinderBackendDellPs: ../puppet/services/cinder-backend-dellps.yaml + +parameter_defaults: + CinderEnableDellPsBackend: true + CinderDellPsBackendName: 'tripleo_dellps' + CinderDellPsSanIp: '' + CinderDellPsSanLogin: '' + CinderDellPsSanPassword: '' + CinderDellPsSanThinProvision: true + CinderDellPsGroupname: 'group-0' + CinderDellPsPool: 'default' + CinderDellPsChapLogin: '' + CinderDellPsChapPassword: '' + CinderDellPsUseChap: false diff --git a/environments/cinder-dellsc-config.yaml b/environments/cinder-dellsc-config.yaml index 92e257d4..617d640c 100644 --- a/environments/cinder-dellsc-config.yaml +++ b/environments/cinder-dellsc-config.yaml @@ -1,7 +1,7 @@ # A Heat environment file which can be used to enable a -# a Cinder Dell Storage Center ISCSI backend, configured via puppet +# Cinder Dell EMC Storage Center ISCSI backend, configured via puppet resource_registry: - OS::TripleO::ControllerExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/cinder-dellsc.yaml + OS::TripleO::Services::CinderBackendDellSc: ../puppet/services/cinder-backend-dellsc.yaml parameter_defaults: CinderEnableDellScBackend: true diff --git a/environments/cinder-eqlx-config.yaml b/environments/cinder-eqlx-config.yaml deleted file mode 100644 index ca2c5e5a..00000000 --- a/environments/cinder-eqlx-config.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# A Heat environment file which can be used to enable a -# a Cinder eqlx backen, configured via puppet -resource_registry: - OS::TripleO::ControllerExtraConfigPre: ../puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml - -parameter_defaults: - CinderEnableEqlxBackend: true - CinderEqlxBackendName: 'tripleo_eqlx' - CinderEqlxSanIp: '' - CinderEqlxSanLogin: '' - CinderEqlxSanPassword: '' - CinderEqlxSanThinProvision: true - CinderEqlxGroupname: 'group-0' - CinderEqlxPool: 'default' - CinderEqlxChapLogin: '' - CinderEqlxChapPassword: '' - CinderEqlxUseChap: false diff --git a/environments/cinder-scaleio-config.yaml b/environments/cinder-scaleio-config.yaml new file mode 100644 index 00000000..cebd619c --- /dev/null +++ b/environments/cinder-scaleio-config.yaml @@ -0,0 +1,35 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +# +# A Heat environment file which can be used to enable a +# a Cinder Dell EMC SacleIO backend, configured via puppet +resource_registry: + OS::TripleO::Services::CinderBackendScaleIO: ../puppet/services/cinder-backend-scaleio.yaml + +parameter_defaults: + CinderEnableScaleIOBackend: true + CinderScaleIOBackendName: 'tripleo_scaleio' + CinderScaleIOSanIp: '' + CinderScaleIOSanLogin: '' + CinderScaleIOSanPassword: '' + CinderScaleIORestServerPort: '443' + CinderScaleIOVerifyServerCertificate: false + CinderScaleIOServerCertificatePath: '' + CinderScaleIOProtectionDomainName: 'domain1' + CinderScaleIOStoragePoolName: 'pool1' + CinderScaleIOStoragePools: 'domain1:pool1' + CinderScaleIORoundVolumeCapacity: true + CinderScaleIOUnmapVolumeBeforeDeletion: false + CinderScaleIOMaxOverSubscriptionRatio: '' + CinderScaleIOSanThinProvision: true diff --git a/environments/collectd-environment.yaml b/environments/collectd-environment.yaml new file mode 100644 index 00000000..7780530c --- /dev/null +++ b/environments/collectd-environment.yaml @@ -0,0 +1,23 @@ +resource_registry: + OS::TripleO::Services::Collectd: ../puppet/services/metrics/collectd.yaml + +# parameter_defaults: +# +## You can specify additional plugins to load using the +## CollectdExtraPlugins key: +# +# CollectdExtraPlugins: +# - disk +# - df +# +## You can use ExtraConfig (or one of the related *ExtraConfig keys) +## to configure collectd. See the documentation for puppet-collectd at +## https://github.com/voxpupuli/puppet-collectd for details. +# +# ExtraConfig: +# collectd::plugin::disk::disks: +# - "/^[vhs]d[a-f][0-9]?$/" +# collectd::plugin::df::mountpoints: +# - "/" +# collectd::plugin::df::ignoreselected: false +# collectd::plugin::cpu::valuespercentage: true diff --git a/environments/contrail/contrail-net.yaml b/environments/contrail/contrail-net.yaml new file mode 100644 index 00000000..1e64f91d --- /dev/null +++ b/environments/contrail/contrail-net.yaml @@ -0,0 +1,26 @@ +resource_registry: + OS::TripleO::Compute::Net::SoftwareConfig: contrail-nic-config-compute.yaml + OS::TripleO::Controller::Net::SoftwareConfig: contrail-nic-config.yaml + OS::TripleO::ContrailController::Net::SoftwareConfig: contrail-nic-config.yaml + OS::TripleO::ContrailAnalytics::Net::SoftwareConfig: contrail-nic-config.yaml + OS::TripleO::ContrailAnalyticsDatabase::Net::SoftwareConfig: contrail-nic-config.yaml + OS::TripleO::ContrailTsn::Net::SoftwareConfig: contrail-nic-config-compute.yaml + +parameter_defaults: + ControlPlaneSubnetCidr: '24' + ControlPlaneDefaultRoute: 192.0.2.254 + InternalApiNetCidr: 10.0.0.0/24 + InternalApiAllocationPools: [{'start': '10.0.0.10', 'end': '10.0.0.200'}] + InternalApiDefaultRoute: 10.0.0.1 + ManagementNetCidr: 10.1.0.0/24 + ManagementAllocationPools: [{'start': '10.1.0.10', 'end': '10.1.0.200'}] + ManagementInterfaceDefaultRoute: 10.1.0.1 + ExternalNetCidr: 10.2.0.0/24 + ExternalAllocationPools: [{'start': '10.2.0.10', 'end': '10.2.0.200'}] + EC2MetadataIp: 192.0.2.1 # Generally the IP of the Undercloud + DnsServers: ["8.8.8.8","8.8.4.4"] + VrouterPhysicalInterface: eth1 + VrouterGateway: 10.0.0.1 + VrouterNetmask: 255.255.255.0 + ControlVirtualInterface: eth0 + PublicVirtualInterface: vlan10 diff --git a/environments/contrail/contrail-nic-config-compute.yaml b/environments/contrail/contrail-nic-config-compute.yaml new file mode 100644 index 00000000..3007638a --- /dev/null +++ b/environments/contrail/contrail-nic-config-compute.yaml @@ -0,0 +1,167 @@ +heat_template_version: ocata + +description: > + Software Config to drive os-net-config to configure multiple interfaces + for the compute role. This is an example for a Nova compute node using + Contrail vrouter and the vhost0 interface. + +parameters: + ControlPlaneIp: + default: '' + description: IP address/subnet on the ctlplane network + type: string + ExternalIpSubnet: + default: '' + description: IP address/subnet on the external network + type: string + InternalApiIpSubnet: + default: '' + description: IP address/subnet on the internal API network + type: string + InternalApiDefaultRoute: # Not used by default in this template + default: '10.0.0.1' + description: The default route of the internal api network. + type: string + StorageIpSubnet: + default: '' + description: IP address/subnet on the storage network + type: string + StorageMgmtIpSubnet: + default: '' + description: IP address/subnet on the storage mgmt network + type: string + TenantIpSubnet: + default: '' + description: IP address/subnet on the tenant network + type: string + ManagementIpSubnet: # Only populated when including environments/network-management.yaml + default: '' + description: IP address/subnet on the management network + type: string + ExternalNetworkVlanID: + default: 10 + description: Vlan ID for the external network traffic. + type: number + InternalApiNetworkVlanID: + default: 20 + description: Vlan ID for the internal_api network traffic. + type: number + StorageNetworkVlanID: + default: 30 + description: Vlan ID for the storage network traffic. + type: number + StorageMgmtNetworkVlanID: + default: 40 + description: Vlan ID for the storage mgmt network traffic. + type: number + TenantNetworkVlanID: + default: 50 + description: Vlan ID for the tenant network traffic. + type: number + ManagementNetworkVlanID: + default: 60 + description: Vlan ID for the management network traffic. + type: number + ControlPlaneSubnetCidr: # Override this via parameter_defaults + default: '24' + description: The subnet CIDR of the control plane network. + type: string + ControlPlaneDefaultRoute: # Override this via parameter_defaults + description: The default route of the control plane network. + type: string + ExternalInterfaceDefaultRoute: # Not used by default in this template + default: '10.0.0.1' + description: The default route of the external network. + type: string + ManagementInterfaceDefaultRoute: # Commented out by default in this template + default: unset + description: The default route of the management network. + type: string + DnsServers: # Override this via parameter_defaults + default: [] + description: A list of DNS servers (2 max for some implementations) that will be added to resolv.conf. + type: comma_delimited_list + EC2MetadataIp: # Override this via parameter_defaults + description: The IP address of the EC2 metadata server. + type: string + +resources: + OsNetConfigImpl: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: + str_replace: + template: + get_file: ../../scripts/run-os-net-config.sh + params: + $network_config: + network_config: + - type: interface + name: nic1 + use_dhcp: false + dns_servers: + get_param: DnsServers + addresses: + - ip_netmask: + list_join: + - '/' + - - get_param: ControlPlaneIp + - get_param: ControlPlaneSubnetCidr + routes: + - ip_netmask: 169.254.169.254/32 + next_hop: + get_param: EC2MetadataIp + - type: interface + name: nic2 + use_dhcp: false + - type: interface + name: vhost0 + use_dhcp: false + addresses: + - ip_netmask: + get_param: InternalApiIpSubnet + routes: + - default: true + next_hop: + get_param: InternalApiDefaultRoute + - type: linux_bridge + name: br0 + use_dhcp: false + members: + - type: interface + name: nic3 + - type: vlan + vlan_id: + get_param: ManagementNetworkVlanID + device: br0 + addresses: + - ip_netmask: + get_param: ManagementIpSubnet + - type: vlan + vlan_id: + get_param: ExternalNetworkVlanID + device: br0 + addresses: + - ip_netmask: + get_param: ExternalIpSubnet + - type: vlan + vlan_id: + get_param: StorageNetworkVlanID + device: br0 + addresses: + - ip_netmask: + get_param: StorageIpSubnet + - type: vlan + vlan_id: + get_param: StorageMgmtNetworkVlanID + device: br0 + addresses: + - ip_netmask: + get_param: StorageMgmtIpSubnet + +outputs: + OS::stack_id: + description: The OsNetConfigImpl resource. + value: + get_resource: OsNetConfigImpl diff --git a/environments/contrail/contrail-services.yaml b/environments/contrail/contrail-services.yaml new file mode 100644 index 00000000..80ef9d3a --- /dev/null +++ b/environments/contrail/contrail-services.yaml @@ -0,0 +1,45 @@ +# A Heat environment file which can be used to enable OpenContrail +# # extensions, configured via puppet +resource_registry: + OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None + OS::TripleO::Services::NeutronL3Agent: OS::Heat::None + OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None + OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginContrail + OS::TripleO::Services::ComputeNeutronCorePlugin: OS::TripleO::Services::ComputeNeutronCorePluginContrail + OS::TripleO::NodeUserData: ../../firstboot/install_vrouter_kmod.yaml + OS::TripleO::Services::ContrailHeat: ../../puppet/services/network/contrail-heat.yaml + OS::TripleO::Services::ContrailAnalytics: ../../puppet/services/network/contrail-analytics.yaml + OS::TripleO::Services::ContrailAnalyticsDatabase: ../../puppet/services/network/contrail-analytics-database.yaml + OS::TripleO::Services::ContrailConfig: ../../puppet/services/network/contrail-config.yaml + OS::TripleO::Services::ContrailControl: ../../puppet/services/network/contrail-control.yaml + OS::TripleO::Services::ContrailDatabase: ../../puppet/services/network/contrail-database.yaml + OS::TripleO::Services::ContrailWebUI: ../../puppet/services/network/contrail-webui.yaml + OS::TripleO::Services::ContrailTsn: ../../puppet/services/network/contrail-tsn.yaml + OS::TripleO::Services::ComputeNeutronCorePluginContrail: ../../puppet/services/network/contrail-vrouter.yaml + OS::TripleO::Services::NeutronCorePluginContrail: ../../puppet/services/network/contrail-neutron-plugin.yaml +parameter_defaults: + ContrailRepo: http://192.168.24.1/contrail-3.2.0.0-19 + EnablePackageInstall: true +# ContrailConfigIfmapUserName: api-server +# ContrailConfigIfmapUserPassword: api-server + OvercloudControlFlavor: control + OvercloudContrailControllerFlavor: contrail-controller + OvercloudContrailAnalyticsFlavor: contrail-analytics + OvercloudContrailAnalyticsDatabaseFlavor: contrail-analytics-database + OvercloudContrailTsnFlavor: contrail-tsn + OvercloudComputeFlavor: compute + ControllerCount: 3 + ContrailControllerCount: 3 + ContrailAnalyticsCount: 3 + ContrailAnalyticsDatabaseCount: 3 + ContrailTsnCount: 1 + ComputeCount: 3 + DnsServers: ["8.8.8.8","8.8.4.4"] + NtpServer: 10.0.0.1 + NeutronCorePlugin: neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2 + NeutronServicePlugins: '' + NeutronTunnelTypes: '' +# NeutronMetadataProxySharedSecret: +# ContrailControlRNDCSecret: # sda1/256 hmac key, e.g. echo -n "values" | openssl dgst -sha256 -hmac key -binary | base64 diff --git a/environments/contrail/roles_data_contrail.yaml b/environments/contrail/roles_data_contrail.yaml new file mode 100644 index 00000000..5f6c4691 --- /dev/null +++ b/environments/contrail/roles_data_contrail.yaml @@ -0,0 +1,237 @@ +# Specifies which roles (groups of nodes) will be deployed +# Note this is used as an input to the various *.j2.yaml +# jinja2 templates, so that they are converted into *.yaml +# during the plan creation (via a mistral action/workflow). +# +# The format is a list, with the following format: +# +# * name: (string) mandatory, name of the role, must be unique +# +# CountDefault: (number) optional, default number of nodes, defaults to 0 +# sets the default for the {{role.name}}Count parameter in overcloud.yaml +# +# HostnameFormatDefault: (string) optional default format string for hostname +# defaults to '%stackname%-{{role.name.lower()}}-%index%' +# sets the default for {{role.name}}HostnameFormat parameter in overcloud.yaml +# +# disable_constraints: (boolean) optional, whether to disable Nova and Glance +# constraints for each role specified in the templates. +# +# upgrade_batch_size: (number): batch size for upgrades where tasks are +# specified by services to run in batches vs all nodes at once. +# This defaults to 1, but larger batches may be specified here. +# +# ServicesDefault: (list) optional default list of services to be deployed +# on the role, defaults to an empty list. Sets the default for the +# {{role.name}}Services parameter in overcloud.yaml + +- name: Controller # the 'primary' role goes first + CountDefault: 1 + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::CephMds + - OS::TripleO::Services::CephMon + - OS::TripleO::Services::CephExternal + - OS::TripleO::Services::CephRbdMirror + - OS::TripleO::Services::CephRgw + - OS::TripleO::Services::CinderApi + - OS::TripleO::Services::CinderBackup + - OS::TripleO::Services::CinderScheduler + - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::ContrailHeat + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Keystone + - OS::TripleO::Services::GlanceApi + - OS::TripleO::Services::HeatApi + - OS::TripleO::Services::HeatApiCfn + - OS::TripleO::Services::HeatApiCloudwatch + - OS::TripleO::Services::HeatEngine + - OS::TripleO::Services::MySQL + - OS::TripleO::Services::NeutronApi + - OS::TripleO::Services::NeutronCorePlugin + - OS::TripleO::Services::RabbitMQ + - OS::TripleO::Services::HAproxy + - OS::TripleO::Services::Keepalived + - OS::TripleO::Services::Memcached + - OS::TripleO::Services::Pacemaker + - OS::TripleO::Services::Redis + - OS::TripleO::Services::NovaConductor + - OS::TripleO::Services::MongoDb + - OS::TripleO::Services::NovaApi + - OS::TripleO::Services::NovaPlacement + - OS::TripleO::Services::NovaMetadata + - OS::TripleO::Services::NovaScheduler + - OS::TripleO::Services::NovaConsoleauth + - OS::TripleO::Services::NovaVncProxy + - OS::TripleO::Services::Ec2Api + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::SwiftProxy + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::CeilometerApi + - OS::TripleO::Services::CeilometerCollector + - OS::TripleO::Services::CeilometerExpirer + - OS::TripleO::Services::CeilometerAgentCentral + - OS::TripleO::Services::CeilometerAgentNotification + - OS::TripleO::Services::Horizon + - OS::TripleO::Services::GnocchiApi + - OS::TripleO::Services::GnocchiMetricd + - OS::TripleO::Services::GnocchiStatsd + - OS::TripleO::Services::ManilaApi + - OS::TripleO::Services::ManilaScheduler + - OS::TripleO::Services::ManilaBackendGeneric + - OS::TripleO::Services::ManilaBackendNetapp + - OS::TripleO::Services::ManilaBackendCephFs + - OS::TripleO::Services::ManilaShare + - OS::TripleO::Services::AodhApi + - OS::TripleO::Services::AodhEvaluator + - OS::TripleO::Services::AodhNotifier + - OS::TripleO::Services::AodhListener + - OS::TripleO::Services::SaharaApi + - OS::TripleO::Services::SaharaEngine + - OS::TripleO::Services::IronicApi + - OS::TripleO::Services::IronicConductor + - OS::TripleO::Services::NovaIronic + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::OpenDaylightApi + - OS::TripleO::Services::OpenDaylightOvs + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::BarbicanApi + - OS::TripleO::Services::PankoApi + - OS::TripleO::Services::Zaqar + - OS::TripleO::Services::OVNDBs + - OS::TripleO::Services::CinderHPELeftHandISCSI + - OS::TripleO::Services::Etcd + - OS::TripleO::Services::AuditD + +- name: Compute + CountDefault: 1 + HostnameFormatDefault: '%stackname%-novacompute-%index%' + disable_upgrade_deployment: True + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::CephClient + - OS::TripleO::Services::CephExternal + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::NovaCompute + - OS::TripleO::Services::NovaLibvirt + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::ComputeNeutronCorePlugin + - OS::TripleO::Services::ComputeNeutronOvsAgent + - OS::TripleO::Services::ComputeCeilometerAgent + - OS::TripleO::Services::ComputeNeutronL3Agent + - OS::TripleO::Services::ComputeNeutronMetadataAgent + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::NeutronSriovAgent + - OS::TripleO::Services::OpenDaylightOvs + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + +- name: BlockStorage + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::BlockStorageCinderVolume + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + +- name: ObjectStorage + disable_upgrade_deployment: True + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::SwiftStorage + - OS::TripleO::Services::SwiftRingBuilder + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + +- name: CephStorage + disable_upgrade_deployment: True + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::CephOSD + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::TripleoFirewall + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + +- name: ContrailController + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::ContrailConfig + - OS::TripleO::Services::ContrailControl + - OS::TripleO::Services::ContrailDatabase + - OS::TripleO::Services::ContrailWebUI + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + +- name: ContrailAnalytics + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::ContrailAnalytics + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + +- name: ContrailAnalyticsDatabase + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::ContrailAnalyticsDatabase + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient + +- name: ContrailTsn + ServicesDefault: + - OS::TripleO::Services::CACerts + - OS::TripleO::Services::ContrailTsn + - OS::TripleO::Services::Kernel + - OS::TripleO::Services::Ntp + - OS::TripleO::Services::Timezone + - OS::TripleO::Services::Snmp + - OS::TripleO::Services::TripleoPackages + - OS::TripleO::Services::SensuClient + - OS::TripleO::Services::FluentdClient diff --git a/environments/deployed-server-bootstrap-environment-rhel.yaml b/environments/deployed-server-bootstrap-environment-rhel.yaml new file mode 100644 index 00000000..f614a91a --- /dev/null +++ b/environments/deployed-server-bootstrap-environment-rhel.yaml @@ -0,0 +1,7 @@ +# An environment that can be used with the deployed-server.yaml template to do +# initial bootstrapping of the deployed servers. +resource_registry: + OS::TripleO::DeployedServer::Bootstrap: ../deployed-server/deployed-server-bootstrap-rhel.yaml + +parameter_defaults: + EnablePackageInstall: True diff --git a/environments/enable-internal-tls.yaml b/environments/enable-internal-tls.yaml index 6e912faa..ff4ecfbe 100644 --- a/environments/enable-internal-tls.yaml +++ b/environments/enable-internal-tls.yaml @@ -2,7 +2,18 @@ # a TLS for in the internal network via certmonger parameter_defaults: EnableInternalTLS: true + + # Required for novajoin to enroll the overcloud nodes + ServerMetadata: + ipa_enroll: True + resource_registry: OS::TripleO::Services::HAProxyInternalTLS: ../puppet/services/haproxy-internal-tls-certmonger.yaml OS::TripleO::Services::ApacheTLS: ../puppet/services/apache-internal-tls-certmonger.yaml OS::TripleO::Services::MySQLTLS: ../puppet/services/database/mysql-internal-tls-certmonger.yaml + # We use apache as a TLS proxy + OS::TripleO::Services::TLSProxyBase: ../puppet/services/apache.yaml + + # Creates nova metadata that will create the extra service principals per + # node. + OS::TripleO::ServiceServerMetadataHook: ../extraconfig/nova_metadata/krb-service-principals.yaml diff --git a/environments/enable_congress.yaml b/environments/enable_congress.yaml new file mode 100644 index 00000000..1eea7f5e --- /dev/null +++ b/environments/enable_congress.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::Congress: ../puppet/services/congress.yaml diff --git a/environments/enable_tacker.yaml b/environments/enable_tacker.yaml new file mode 100644 index 00000000..1f9eca01 --- /dev/null +++ b/environments/enable_tacker.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::Tacker: ../puppet/services/tacker.yaml diff --git a/environments/horizon_password_validation.yaml b/environments/horizon_password_validation.yaml new file mode 100644 index 00000000..1a0f92cc --- /dev/null +++ b/environments/horizon_password_validation.yaml @@ -0,0 +1,5 @@ +# Use this enviroment to pass in validation regex for horizons password +# validation checks +parameter_defaults: + HorizonPasswordValidator: '.*' + HorizonPasswordValidatorHelp: 'Your password does not meet the requirements.' diff --git a/environments/host-config-pre-network.j2.yaml b/environments/host-config-pre-network.j2.yaml index fe1302b5..c79e28b4 100644 --- a/environments/host-config-pre-network.j2.yaml +++ b/environments/host-config-pre-network.j2.yaml @@ -1,12 +1,12 @@ resource_registry: # Create the registry only for roles with the word "Compute" in it. Like ComputeOvsDpdk, ComputeSriov, etc., -{% for role in roles %} +{%- for role in roles -%} {% if "Compute" in role.name %} OS::TripleO::{{role.name}}::PreNetworkConfig: ../extraconfig/pre_network/{{role.name.lower()}}-host_config_and_reboot.yaml -{% endif %} +{%- endif -%} {% endfor %} -parameter_defaults: +#parameter_defaults: # Sample parameters for Compute and ComputeOvsDpdk roles #ComputeKernelArgs: "" #ComputeTunedProfileName: "" diff --git a/environments/major-upgrade-all-in-one.yaml b/environments/major-upgrade-all-in-one.yaml index 69d72edd..4283b212 100644 --- a/environments/major-upgrade-all-in-one.yaml +++ b/environments/major-upgrade-all-in-one.yaml @@ -1,8 +1,2 @@ -# We run the upgrade steps without disabling the OS::TripleO::PostDeploySteps -# this means you can do a major upgrade in one pass, which may be useful -# e.g for all-in-one deployments where we can upgrade the compute services -# at the same time as the controlplane -# Note that it will be necessary to pass a mapping of OS::Heat::None again for -# any subsequent updates, or the upgrade steps will run again. resource_registry: - OS::TripleO::UpgradeSteps: ../puppet/major_upgrade_steps.yaml + OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml diff --git a/environments/major-upgrade-composable-steps.yaml b/environments/major-upgrade-composable-steps.yaml index 7e10014b..44580b43 100644 --- a/environments/major-upgrade-composable-steps.yaml +++ b/environments/major-upgrade-composable-steps.yaml @@ -1,3 +1,4 @@ resource_registry: - OS::TripleO::UpgradeSteps: ../puppet/major_upgrade_steps.yaml - OS::TripleO::PostDeploySteps: OS::Heat::None + OS::TripleO::PostDeploySteps: ../puppet/major_upgrade_steps.yaml +parameter_defaults: + UpgradeLevelNovaCompute: auto diff --git a/environments/major-upgrade-converge.yaml b/environments/major-upgrade-converge.yaml new file mode 100644 index 00000000..e3c0e531 --- /dev/null +++ b/environments/major-upgrade-converge.yaml @@ -0,0 +1,6 @@ +# Use this to reset any mappings only used for upgrades after the +# update of all nodes is completed +resource_registry: + OS::TripleO::PostDeploySteps: ../puppet/post.yaml +parameter_defaults: + UpgradeLevelNovaCompute: '' diff --git a/environments/neutron-ml2-fujitsu-fossw.yaml b/environments/neutron-ml2-fujitsu-fossw.yaml new file mode 100644 index 00000000..8db8da75 --- /dev/null +++ b/environments/neutron-ml2-fujitsu-fossw.yaml @@ -0,0 +1,22 @@ +# A Heat environment file which can be used to enable Fujitsu fossw +# plugin, configured via puppet +resource_registry: + OS::TripleO::Services::NeutronML2FujitsuFossw: ../puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml + +parameter_defaults: + # Fixed + NeutronMechanismDrivers: ['openvswitch','fujitsu_fossw'] + NeutronTypeDrivers: ['vlan','vxlan'] + NeutronNetworkType: ['vlan','vxlan'] + + # Required + NeutronFujitsuFosswIps: '192.168.0.1,192.168.0.2' + NeutronFujitsuFosswUserName: + NeutronFujitsuFosswPassword: + + # Optional + #NeutronFujitsuFosswPort: + #NeutronFujitsuFosswTimeout: + #NeutronFujitsuFosswUdpDestPort: + #NeutronFujitsuFosswOvsdbVlanidRangeMin: + #NeutronFujitsuFosswOvsdbPort: diff --git a/environments/neutron-ml2-ovn.yaml b/environments/neutron-ml2-ovn.yaml index 3da560c8..7483bdbb 100644 --- a/environments/neutron-ml2-ovn.yaml +++ b/environments/neutron-ml2-ovn.yaml @@ -3,6 +3,7 @@ resource_registry: OS::TripleO::Services::NeutronL3Agent: OS::Heat::None OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None + OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginML2OVN OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-ovn.yaml # Disabling Neutron services that overlap with OVN @@ -12,11 +13,12 @@ resource_registry: parameter_defaults: NeutronMechanismDrivers: ovn - OVNSouthboundServerPort: 6642 - OVNNorthboundServerPort: 6641 - OVNDbConnectionTimeout: 60 OVNVifType: ovs OVNNeutronSyncMode: log OVNQosDriver: ovn-qos OVNTunnelEncapType: geneve NeutronEnableDHCPAgent: false + NeutronTypeDrivers: 'geneve,vxlan,vlan,flat' + NeutronNetworkType: 'geneve' + NeutronServicePlugins: 'qos,ovn-router' + NeutronVniRanges: ['1:65536', ] diff --git a/environments/neutron-opencontrail.yaml b/environments/neutron-opencontrail.yaml deleted file mode 100644 index 51575b86..00000000 --- a/environments/neutron-opencontrail.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# A Heat environment file which can be used to enable OpenContrail -# extensions, configured via puppet -resource_registry: - OS::TripleO::ComputeExtraConfigPre: ../puppet/extraconfig/pre_deploy/compute/neutron-opencontrail.yaml - OS::TripleO::Services::NeutronDhcpAgent: OS::Heat::None - OS::TripleO::Services::NeutronL3Agent: OS::Heat::None - OS::TripleO::Services::NeutronMetadataAgent: OS::Heat::None - OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None - # Override the NeutronCorePlugin to use Nuage - OS::TripleO::Services::NeutronCorePlugin: OS::TripleO::Services::NeutronCorePluginOpencontrail - OS::TripleO::Services::ComputeNeutronCorePlugin: ../puppet/services/neutron-compute-plugin-opencontrail.yaml - -parameter_defaults: - NeutronCorePlugin: neutron_plugin_contrail.plugins.opencontrail.contrail_plugin.NeutronPluginContrailCoreV2 - NeutronServicePlugins: neutron_plugin_contrail.plugins.opencontrail.loadbalancer.v2.plugin.LoadBalancerPluginV2 - NeutronTunnelTypes: '' - - # required params: - #ContrailApiServerIp: - #ContrailExtensions: '' - - # optional params - # ContrailApiServerPort: 8082 - # ContrailMultiTenancy: false diff --git a/environments/neutron-opendaylight-l3.yaml b/environments/neutron-opendaylight-l3.yaml deleted file mode 100644 index 6d5c7404..00000000 --- a/environments/neutron-opendaylight-l3.yaml +++ /dev/null @@ -1,14 +0,0 @@ -# A Heat environment that can be used to deploy OpenDaylight with L3 DVR -resource_registry: - OS::TripleO::Services::NeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronOvsAgent: OS::Heat::None - OS::TripleO::Services::ComputeNeutronCorePlugin: OS::Heat::None - OS::TripleO::Services::OpenDaylightApi: ../puppet/services/opendaylight-api.yaml - OS::TripleO::Services::OpenDaylightOvs: ../puppet/services/opendaylight-ovs.yaml - OS::TripleO::Services::NeutronL3Agent: OS::Heat::None - -parameter_defaults: - NeutronEnableForceMetadata: true - NeutronMechanismDrivers: 'opendaylight_v2' - NeutronServicePlugins: 'odl-router_v2' - OpenDaylightEnableL3: "'yes'" diff --git a/environments/neutron-sriov.yaml b/environments/neutron-sriov.yaml index 9b7e51f9..5e9e15e3 100755 --- a/environments/neutron-sriov.yaml +++ b/environments/neutron-sriov.yaml @@ -9,9 +9,6 @@ parameter_defaults: #NovaSchedulerDefaultFilters: ['RetryFilter','AvailabilityZoneFilter','RamFilter','ComputeFilter','ComputeCapabilitiesFilter','ImagePropertiesFilter','ServerGroupAntiAffinityFilter','ServerGroupAffinityFilter','PciPassthroughFilter'] #NovaSchedulerAvailableFilters: ["nova.scheduler.filters.all_filters","nova.scheduler.filters.pci_passthrough_filter.PciPassthroughFilter"] - # Provide the vendorid:productid of the VFs - #NeutronSupportedPCIVendorDevs: ['8086:154c','8086:10ca','8086:1520'] - #NeutronPhysicalDevMappings: "datacentre:ens20f2" # Number of VFs that needs to be configured for a physical interface diff --git a/environments/puppet-ceph.yaml b/environments/puppet-ceph.yaml new file mode 100644 index 00000000..57af540a --- /dev/null +++ b/environments/puppet-ceph.yaml @@ -0,0 +1,12 @@ +resource_registry: + OS::TripleO::Services::CephMon: ../puppet/services/ceph-mon.yaml + OS::TripleO::Services::CephOSD: ../puppet/services/ceph-osd.yaml + OS::TripleO::Services::CephClient: ../puppet/services/ceph-client.yaml + +parameter_defaults: + CinderEnableIscsiBackend: false + CinderEnableRbdBackend: true + CinderBackupBackend: ceph + NovaEnableRbdBackend: true + GlanceBackend: rbd + GnocchiBackend: rbd diff --git a/environments/puppet-pacemaker.yaml b/environments/puppet-pacemaker.yaml index 0b71dbd9..da607a72 100644 --- a/environments/puppet-pacemaker.yaml +++ b/environments/puppet-pacemaker.yaml @@ -12,6 +12,7 @@ resource_registry: OS::TripleO::Services::RabbitMQ: ../puppet/services/pacemaker/rabbitmq.yaml OS::TripleO::Services::HAproxy: ../puppet/services/pacemaker/haproxy.yaml OS::TripleO::Services::Pacemaker: ../puppet/services/pacemaker.yaml + OS::TripleO::Services::PacemakerRemote: ../puppet/services/pacemaker_remote.yaml OS::TripleO::Services::Redis: ../puppet/services/pacemaker/database/redis.yaml OS::TripleO::Services::MySQL: ../puppet/services/pacemaker/database/mysql.yaml # Services that are disabled by default (use relevant environment files): diff --git a/environments/services/ceph-rbdmirror.yaml b/environments/services/ceph-rbdmirror.yaml new file mode 100644 index 00000000..b350e4c5 --- /dev/null +++ b/environments/services/ceph-rbdmirror.yaml @@ -0,0 +1,2 @@ +resource_registry: + OS::TripleO::Services::CephRbdMirror: ../../puppet/services/pacemaker/ceph-rbdmirror.yaml diff --git a/environments/services/ec2-api.yaml b/environments/services/ec2-api.yaml new file mode 100644 index 00000000..d751ba23 --- /dev/null +++ b/environments/services/ec2-api.yaml @@ -0,0 +1,3 @@ +# A Heat environment file which can be used to enable EC2-API service. +resource_registry: + OS::TripleO::Services::Ec2Api: ../../puppet/services/ec2-api.yaml diff --git a/environments/services/octavia.yaml b/environments/services/octavia.yaml new file mode 100644 index 00000000..24c57b8c --- /dev/null +++ b/environments/services/octavia.yaml @@ -0,0 +1,9 @@ +resource_registry: + OS::TripleO::Services::OctaviaApi: ../../puppet/services/octavia-api.yaml + OS::TripleO::Services::OctaviaHealthManager: ../../puppet/services/octavia-health-manager.yaml + OS::TripleO::Services::OctaviaHousekeeping: ../../puppet/services/octavia-housekeeping.yaml + OS::TripleO::Services::OctaviaWorker: ../../puppet/services/octavia-worker.yaml + +parameter_defaults: + NeutronServicePlugins: "qos,router,trunk,lbaasv2" + NeutronEnableForceMetadata: true diff --git a/environments/sshd-banner.yaml b/environments/sshd-banner.yaml new file mode 100644 index 00000000..041c0990 --- /dev/null +++ b/environments/sshd-banner.yaml @@ -0,0 +1,13 @@ +resource_registry: + OS::TripleO::Services::Sshd: ../puppet/services/sshd.yaml + +parameter_defaults: + BannerText: | + ****************************************************************** + * This system is for the use of authorized users only. Usage of * + * this system may be monitored and recorded by system personnel. * + * Anyone using this system expressly consents to such monitoring * + * and is advised that if such monitoring reveals possible * + * evidence of criminal activity, system personnel may provide * + * the evidence from such monitoring to law enforcement officials.* + ****************************************************************** diff --git a/environments/tls-endpoints-public-dns.yaml b/environments/tls-endpoints-public-dns.yaml index 74c9f61d..1b666c5b 100644 --- a/environments/tls-endpoints-public-dns.yaml +++ b/environments/tls-endpoints-public-dns.yaml @@ -17,6 +17,45 @@ parameter_defaults: CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} + CongressAdmin: {protocol: 'http', port: '1789', host: 'IP_ADDRESS'} + CongressInternal: {protocol: 'http', port: '1789', host: 'IP_ADDRESS'} + CongressPublic: {protocol: 'https', port: '13789', host: 'CLOUDNAME'} + ContrailAnalyticsApiAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsApiInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsApiPublic: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpAdmin: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpInternal: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpPublic: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshAdmin: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshInternal: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshPublic: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsHttpAdmin: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsHttpInternal: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsHttpPublic: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisAdmin: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisInternal: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisPublic: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailConfigAdmin: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailConfigInternal: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailConfigPublic: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailDiscoveryAdmin: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailDiscoveryInternal: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailDiscoveryPublic: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailWebuiHttpAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpPublic: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpsAdmin: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + ContrailWebuiHttpsInternal: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + ContrailWebuiHttpsPublic: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'} GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} @@ -55,6 +94,9 @@ parameter_defaults: NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} + OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} PankoAdmin: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoInternal: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoPublic: {protocol: 'https', port: '13779', host: 'CLOUDNAME'} @@ -64,6 +106,9 @@ parameter_defaults: SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} + TackerAdmin: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'} + TackerInternal: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'} + TackerPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'} ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'} diff --git a/environments/tls-endpoints-public-ip.yaml b/environments/tls-endpoints-public-ip.yaml index 17ff2feb..7311a1f9 100644 --- a/environments/tls-endpoints-public-ip.yaml +++ b/environments/tls-endpoints-public-ip.yaml @@ -17,6 +17,45 @@ parameter_defaults: CinderAdmin: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderInternal: {protocol: 'http', port: '8776', host: 'IP_ADDRESS'} CinderPublic: {protocol: 'https', port: '13776', host: 'IP_ADDRESS'} + CongressAdmin: {protocol: 'http', port: '1789', host: 'IP_ADDRESS'} + CongressInternal: {protocol: 'http', port: '1789', host: 'IP_ADDRESS'} + CongressPublic: {protocol: 'https', port: '13789', host: 'IP_ADDRESS'} + ContrailAnalyticsApiAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsApiInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsApiPublic: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpAdmin: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpInternal: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpPublic: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshAdmin: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshInternal: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshPublic: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsHttpAdmin: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsHttpInternal: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsHttpPublic: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisAdmin: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisInternal: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisPublic: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailConfigAdmin: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailConfigInternal: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailConfigPublic: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailDiscoveryAdmin: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailDiscoveryInternal: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailDiscoveryPublic: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailWebuiHttpAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpPublic: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpsAdmin: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + ContrailWebuiHttpsInternal: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + ContrailWebuiHttpsPublic: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + Ec2ApiAdmin: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiInternal: {protocol: 'http', port: '8788', host: 'IP_ADDRESS'} + Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'IP_ADDRESS'} GlanceAdmin: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlanceInternal: {protocol: 'http', port: '9292', host: 'IP_ADDRESS'} GlancePublic: {protocol: 'https', port: '13292', host: 'IP_ADDRESS'} @@ -55,6 +94,9 @@ parameter_defaults: NovaVNCProxyAdmin: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyInternal: {protocol: 'http', port: '6080', host: 'IP_ADDRESS'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'IP_ADDRESS'} + OctaviaAdmin: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaInternal: {protocol: 'http', port: '9876', host: 'IP_ADDRESS'} + OctaviaPublic: {protocol: 'https', port: '13876', host: 'IP_ADDRESS'} PankoAdmin: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoInternal: {protocol: 'http', port: '8779', host: 'IP_ADDRESS'} PankoPublic: {protocol: 'https', port: '13779', host: 'IP_ADDRESS'} @@ -64,6 +106,9 @@ parameter_defaults: SwiftAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} SwiftPublic: {protocol: 'https', port: '13808', host: 'IP_ADDRESS'} + TackerAdmin: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'} + TackerInternal: {protocol: 'http', port: '9890', host: 'IP_ADDRESS'} + TackerPublic: {protocol: 'https', port: '13989', host: 'IP_ADDRESS'} ZaqarAdmin: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarInternal: {protocol: 'http', port: '8888', host: 'IP_ADDRESS'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'IP_ADDRESS'} diff --git a/environments/tls-everywhere-endpoints-dns.yaml b/environments/tls-everywhere-endpoints-dns.yaml index 0aa2be08..e6608b57 100644 --- a/environments/tls-everywhere-endpoints-dns.yaml +++ b/environments/tls-everywhere-endpoints-dns.yaml @@ -17,6 +17,45 @@ parameter_defaults: CinderAdmin: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderInternal: {protocol: 'https', port: '8776', host: 'CLOUDNAME'} CinderPublic: {protocol: 'https', port: '13776', host: 'CLOUDNAME'} + CongressAdmin: {protocol: 'https', port: '1789', host: 'CLOUDNAME'} + CongressInternal: {protocol: 'https', port: '1789', host: 'CLOUDNAME'} + CongressPublic: {protocol: 'https', port: '13789', host: 'CLOUDNAME'} + ContrailAnalyticsApiAdmin: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsApiInternal: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsApiPublic: {protocol: 'http', port: '8081', host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpAdmin: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpInternal: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorHttpPublic: {protocol: 'http', port: '8089', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshAdmin: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshInternal: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsCollectorSandeshPublic: {protocol: 'http', port: '8086', + host: 'IP_ADDRESS'} + ContrailAnalyticsHttpAdmin: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsHttpInternal: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsHttpPublic: {protocol: 'http', port: '8090', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisAdmin: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisInternal: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailAnalyticsRedisPublic: {protocol: 'http', port: '6379', host: 'IP_ADDRESS'} + ContrailConfigAdmin: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailConfigInternal: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailConfigPublic: {protocol: 'http', port: '8082', host: 'IP_ADDRESS'} + ContrailDiscoveryAdmin: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailDiscoveryInternal: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailDiscoveryPublic: {protocol: 'http', port: '5998', host: 'IP_ADDRESS'} + ContrailWebuiHttpAdmin: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpInternal: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpPublic: {protocol: 'http', port: '8080', host: 'IP_ADDRESS'} + ContrailWebuiHttpsAdmin: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + ContrailWebuiHttpsInternal: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + ContrailWebuiHttpsPublic: {protocol: 'http', port: '8143', host: 'IP_ADDRESS'} + Ec2ApiAdmin: {protocol: 'https', port: '8788', host: 'CLOUDNAME'} + Ec2ApiInternal: {protocol: 'https', port: '8788', host: 'CLOUDNAME'} + Ec2ApiPublic: {protocol: 'https', port: '13788', host: 'CLOUDNAME'} GlanceAdmin: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlanceInternal: {protocol: 'https', port: '9292', host: 'CLOUDNAME'} GlancePublic: {protocol: 'https', port: '13292', host: 'CLOUDNAME'} @@ -55,6 +94,9 @@ parameter_defaults: NovaVNCProxyAdmin: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyInternal: {protocol: 'https', port: '6080', host: 'CLOUDNAME'} NovaVNCProxyPublic: {protocol: 'https', port: '13080', host: 'CLOUDNAME'} + OctaviaAdmin: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'} + OctaviaInternal: {protocol: 'https', port: '9876', host: 'IP_ADDRESS'} + OctaviaPublic: {protocol: 'https', port: '13876', host: 'CLOUDNAME'} PankoAdmin: {protocol: 'https', port: '8779', host: 'CLOUDNAME'} PankoInternal: {protocol: 'https', port: '8779', host: 'CLOUDNAME'} PankoPublic: {protocol: 'https', port: '13779', host: 'CLOUDNAME'} @@ -64,6 +106,9 @@ parameter_defaults: SwiftAdmin: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} SwiftInternal: {protocol: 'https', port: '8080', host: 'CLOUDNAME'} SwiftPublic: {protocol: 'https', port: '13808', host: 'CLOUDNAME'} + TackerAdmin: {protocol: 'https', port: '9890', host: 'CLOUDNAME'} + TackerInternal: {protocol: 'https', port: '9890', host: 'CLOUDNAME'} + TackerPublic: {protocol: 'https', port: '13989', host: 'CLOUDNAME'} ZaqarAdmin: {protocol: 'https', port: '8888', host: 'CLOUDNAME'} ZaqarInternal: {protocol: 'https', port: '8888', host: 'CLOUDNAME'} ZaqarPublic: {protocol: 'https', port: '13888', host: 'CLOUDNAME'} diff --git a/extraconfig/nova_metadata/krb-service-principals.yaml b/extraconfig/nova_metadata/krb-service-principals.yaml new file mode 100644 index 00000000..c66e6460 --- /dev/null +++ b/extraconfig/nova_metadata/krb-service-principals.yaml @@ -0,0 +1,84 @@ +heat_template_version: ocata +description: 'Generates the relevant service principals for a server' + +parameters: + RoleData: + type: json + description: the list containing the 'role_data' output for the ServiceChain + + # Coming from parameter_defaults + CloudName: + default: overcloud.localdomain + description: The DNS name of this cloud. E.g. ci-overcloud.tripleo.org + type: string + CloudNameInternal: + default: overcloud.internalapi.localdomain + description: > + The DNS name of this cloud's internal API endpoint. E.g. + 'ci-overcloud.internalapi.tripleo.org'. + type: string + CloudNameStorage: + default: overcloud.storage.localdomain + description: > + The DNS name of this cloud's storage endpoint. E.g. + 'ci-overcloud.storage.tripleo.org'. + type: string + CloudNameStorageManagement: + default: overcloud.storagemgmt.localdomain + description: > + The DNS name of this cloud's storage management endpoint. E.g. + 'ci-overcloud.storagemgmt.tripleo.org'. + type: string + CloudNameCtlplane: + default: overcloud.ctlplane.localdomain + description: > + The DNS name of this cloud's storage management endpoint. E.g. + 'ci-overcloud.management.tripleo.org'. + type: string + +resources: + + IncomingMetadataSettings: + type: OS::Heat::Value + properties: + value: + yaql: + # Filter null values and values that contain don't contain + # 'metadata_settings', get the values from that key and get the + # unique ones. + expression: list($.data.where($ != null).where($.containsKey('metadata_settings')).metadata_settings.flatten().distinct()) + data: {get_param: RoleData} + + # Generates entries for nova metadata with the following format: + # 'managed_service_<id>' : <service>/<fqdn> + # Depending on the requested network + IndividualServices: + type: OS::Heat::Value + properties: + value: + yaql: + expression: let(fqdns => $.data.fqdns) -> dict($.data.metadata.where($ != null and $.type = 'vip').select([concat('managed_service_', $.service, $.network), concat($.service, '/', $fqdns.get($.network))])) + data: + metadata: {get_attr: [IncomingMetadataSettings, value]} + fqdns: + external: {get_param: CloudName} + internal_api: {get_param: CloudNameInternal} + storage: {get_param: CloudNameStorage} + storage_mgmt: {get_param: CloudNameStorageManagement} + ctlplane: {get_param: CloudNameCtlplane} + + CompactServices: + type: OS::Heat::Value + properties: + value: + yaql: + expression: dict($.data.where($ != null and $.type = 'node').select([$.service, $.network.replace('_', '')]).groupBy($[0], $[1])) + data: {get_attr: [IncomingMetadataSettings, value]} + +outputs: + metadata: + description: actual metadata entries that will be passed to the server. + value: + map_merge: + - {get_attr: [IndividualServices, value]} + - compact_services: {get_attr: [CompactServices, value]} diff --git a/extraconfig/tasks/major_upgrade_block_storage.sh b/extraconfig/tasks/major_upgrade_block_storage.sh deleted file mode 100644 index 64c4457e..00000000 --- a/extraconfig/tasks/major_upgrade_block_storage.sh +++ /dev/null @@ -1,11 +0,0 @@ -#!/bin/bash -# -# This runs an upgrade of Cinder Block Storage nodes. -# -set -eu - -# Special-case OVS for https://bugs.launchpad.net/tripleo/+bug/1635205 -special_case_ovs_upgrade_if_needed - -yum -y install python-zaqarclient # needed for os-collect-config -yum -y -q update diff --git a/extraconfig/tasks/major_upgrade_ceph_mon.sh b/extraconfig/tasks/major_upgrade_ceph_mon.sh deleted file mode 100755 index e0d160f1..00000000 --- a/extraconfig/tasks/major_upgrade_ceph_mon.sh +++ /dev/null @@ -1,82 +0,0 @@ -#!/bin/bash -set -eu -set -o pipefail - -echo INFO: starting $(basename "$0") - -# Exit if not running -if ! pidof ceph-mon &> /dev/null; then - echo INFO: ceph-mon is not running, skipping - exit 0 -fi - -# Exit if not Hammer -INSTALLED_VERSION=$(ceph --version | awk '{print $3}') -if ! [[ "$INSTALLED_VERSION" =~ ^0\.94.* ]]; then - echo INFO: version of Ceph installed is not 0.94, skipping - exit 0 -fi - -CEPH_STATUS=$(ceph health | awk '{print $1}') -if [ ${CEPH_STATUS} = HEALTH_ERR ]; then - echo ERROR: Ceph cluster status is HEALTH_ERR, cannot be upgraded - exit 1 -fi - -# Useful when upgrading with OSDs num < replica size -if [[ ${ignore_ceph_upgrade_warnings:-False} != [Tt]rue ]]; then - timeout 300 bash -c "while [ ${CEPH_STATUS} != HEALTH_OK ]; do - echo WARNING: Waiting for Ceph cluster status to go HEALTH_OK; - sleep 30; - CEPH_STATUS=$(ceph health | awk '{print $1}') - done" -fi - -MON_PID=$(pidof ceph-mon) -MON_ID=$(hostname -s) - -# Stop daemon using Hammer sysvinit script -service ceph stop mon.${MON_ID} - -# Ensure it's stopped -timeout 60 bash -c "while kill -0 ${MON_PID} 2> /dev/null; do - sleep 2; -done" - -# Update to Jewel -yum -y -q update ceph-mon ceph - -# Restart/Exit if not on Jewel, only in that case we need the changes -UPDATED_VERSION=$(ceph --version | awk '{print $3}') -if [[ "$UPDATED_VERSION" =~ ^0\.94.* ]]; then - echo WARNING: Ceph was not upgraded, restarting daemons - service ceph start mon.${MON_ID} -elif [[ "$UPDATED_VERSION" =~ ^10\.2.* ]]; then - # RPM could own some of these but we can't take risks on the pre-existing files - for d in /var/lib/ceph/mon /var/log/ceph /var/run/ceph /etc/ceph; do - chown -L -R ceph:ceph $d || echo WARNING: chown of $d failed - done - - # Replay udev events with newer rules - udevadm trigger - - # Enable systemd unit - systemctl enable ceph-mon.target - systemctl enable ceph-mon@${MON_ID} - systemctl start ceph-mon@${MON_ID} - - # Wait for daemon to be back in the quorum - timeout 300 bash -c "until (ceph quorum_status | jq .quorum_names | grep -sq ${MON_ID}); do - echo WARNING: Waiting for mon.${MON_ID} to re-join quorum; - sleep 10; - done" - - # if tunables become legacy, cluster status will be HEALTH_WARN causing - # upgrade to fail on following node - ceph osd crush tunables default - - echo INFO: Ceph was upgraded to Jewel -else - echo ERROR: Ceph was upgraded to an unknown release, daemon is stopped, need manual intervention - exit 1 -fi diff --git a/extraconfig/tasks/major_upgrade_ceph_storage.sh b/extraconfig/tasks/major_upgrade_ceph_storage.sh deleted file mode 100644 index a745e723..00000000 --- a/extraconfig/tasks/major_upgrade_ceph_storage.sh +++ /dev/null @@ -1,106 +0,0 @@ -#!/bin/bash -# -# This delivers the ceph-storage upgrade script to be invoked as part of the tripleo -# major upgrade workflow. -# -set -eu -set -o pipefail - -UPGRADE_SCRIPT=/root/tripleo_upgrade_node.sh - -declare -f special_case_ovs_upgrade_if_needed > $UPGRADE_SCRIPT -# use >> here so we don't lose the declaration we added above -cat >> $UPGRADE_SCRIPT << 'ENDOFCAT' -#!/bin/bash -### DO NOT MODIFY THIS FILE -### This file is automatically delivered to the ceph-storage nodes as part of the -### tripleo upgrades workflow -set -eu - -echo INFO: starting $(basename "$0") - -# Exit if not running -if ! pidof ceph-osd &> /dev/null; then - echo INFO: ceph-osd is not running, skipping - exit 0 -fi - -# Exit if not Hammer -INSTALLED_VERSION=$(ceph --version | awk '{print $3}') -if ! [[ "$INSTALLED_VERSION" =~ ^0\.94.* ]]; then - echo INFO: version of Ceph installed is not 0.94, skipping - exit 0 -fi - -OSD_PIDS=$(pidof ceph-osd) -OSD_IDS=$(ls /var/lib/ceph/osd | awk 'BEGIN { FS = "-" } ; { print $2 }') - -# "so that mirrors aren't rebalanced as if the OSD died" - gfidente / leseb -ceph osd set noout -ceph osd set norebalance -ceph osd set nodeep-scrub -ceph osd set noscrub - -# Stop daemon using Hammer sysvinit script -for OSD_ID in $OSD_IDS; do - service ceph stop osd.${OSD_ID} -done - -# Nice guy will return non-0 only when all failed -timeout 60 bash -c "while kill -0 ${OSD_PIDS} 2> /dev/null; do - sleep 2; -done" - -special_case_ovs_upgrade_if_needed - -# Update (Ceph to Jewel) -yum -y install python-zaqarclient # needed for os-collect-config -yum -y update - -# Restart/Exit if not on Jewel, only in that case we need the changes -UPDATED_VERSION=$(ceph --version | awk '{print $3}') -if [[ "$UPDATED_VERSION" =~ ^0\.94.* ]]; then - echo WARNING: Ceph was not upgraded, restarting daemon - for OSD_ID in $OSD_IDS; do - service ceph start osd.${OSD_ID} - done -elif [[ "$UPDATED_VERSION" =~ ^10\.2.* ]]; then - # RPM could own some of these but we can't take risks on the pre-existing files - for d in /var/lib/ceph/osd /var/log/ceph /var/run/ceph /etc/ceph; do - chown -L -R ceph:ceph $d || echo WARNING: chown of $d failed - done - - # Replay udev events with newer rules - udevadm trigger && udevadm settle - - # If on ext4, we need to enforce lower values for name and namespace len - # or ceph-osd will refuse to start, see: http://tracker.ceph.com/issues/16187 - for OSD_ID in $OSD_IDS; do - OSD_FS=$(df -l --output=fstype /var/lib/ceph/osd/ceph-${OSD_ID} | tail -n +2) - if [ ${OSD_FS} = ext4 ]; then - crudini --set /etc/ceph/ceph.conf global osd_max_object_name_len 256 - crudini --set /etc/ceph/ceph.conf global osd_max_object_namespace_len 64 - fi - done - - # Enable systemd unit - systemctl enable ceph-osd.target - for OSD_ID in $OSD_IDS; do - systemctl enable ceph-osd@${OSD_ID} - systemctl start ceph-osd@${OSD_ID} - done - - echo INFO: Ceph was upgraded to Jewel -else - echo ERROR: Ceph was upgraded to an unknown release, daemon is stopped, need manual intervention - exit 1 -fi - -ceph osd unset noout -ceph osd unset norebalance -ceph osd unset nodeep-scrub -ceph osd unset noscrub -ENDOFCAT - -# ensure the permissions are OK -chmod 0755 $UPGRADE_SCRIPT diff --git a/extraconfig/tasks/major_upgrade_compute.sh b/extraconfig/tasks/major_upgrade_compute.sh deleted file mode 100644 index 7a3e1073..00000000 --- a/extraconfig/tasks/major_upgrade_compute.sh +++ /dev/null @@ -1,35 +0,0 @@ -#!/bin/bash -# -# This delivers the compute upgrade script to be invoked as part of the tripleo -# major upgrade workflow. -# -set -eu - -UPGRADE_SCRIPT=/root/tripleo_upgrade_node.sh - -cat > $UPGRADE_SCRIPT << ENDOFCAT -### DO NOT MODIFY THIS FILE -### This file is automatically delivered to the compute nodes as part of the -### tripleo upgrades workflow - -set -eu - -# pin nova to kilo (messaging +-1) for the nova-compute service - -crudini --set /etc/nova/nova.conf upgrade_levels compute $upgrade_level_nova_compute - -$(declare -f special_case_ovs_upgrade_if_needed) -special_case_ovs_upgrade_if_needed - -yum -y install python-zaqarclient # needed for os-collect-config -yum -y update - -# Due to bug#1640177 we need to restart compute agent -echo "Restarting openstack ceilometer agent compute" -systemctl restart openstack-ceilometer-compute - -ENDOFCAT - -# ensure the permissions are OK -chmod 0755 $UPGRADE_SCRIPT - diff --git a/extraconfig/tasks/major_upgrade_object_storage.sh b/extraconfig/tasks/major_upgrade_object_storage.sh deleted file mode 100644 index d9d1b4d5..00000000 --- a/extraconfig/tasks/major_upgrade_object_storage.sh +++ /dev/null @@ -1,42 +0,0 @@ -#!/bin/bash -# -# This delivers the swift-storage upgrade script to be invoked as part of the tripleo -# major upgrade workflow. -# -set -eu - -UPGRADE_SCRIPT=/root/tripleo_upgrade_node.sh - -cat > $UPGRADE_SCRIPT << ENDOFCAT -### DO NOT MODIFY THIS FILE -### This file is automatically delivered to the swift-storage nodes as part of the -### tripleo upgrades workflow - -set -eu - -function systemctl_swift { - action=\$1 - for S in openstack-swift-account-auditor openstack-swift-account-reaper openstack-swift-account-replicator openstack-swift-account \ - openstack-swift-container-auditor openstack-swift-container-replicator openstack-swift-container-updater openstack-swift-container \ - openstack-swift-object-auditor openstack-swift-object-replicator openstack-swift-object-updater openstack-swift-object; do - systemctl \$action \$S - done -} - -$(declare -f special_case_ovs_upgrade_if_needed) -special_case_ovs_upgrade_if_needed - -systemctl_swift stop - -yum -y install python-zaqarclient # needed for os-collect-config -yum -y update - -systemctl_swift start - - - -ENDOFCAT - -# ensure the permissions are OK -chmod 0755 $UPGRADE_SCRIPT - diff --git a/extraconfig/tasks/major_upgrade_pacemaker.yaml b/extraconfig/tasks/major_upgrade_pacemaker.yaml index b63aafbd..8c91027d 100644 --- a/extraconfig/tasks/major_upgrade_pacemaker.yaml +++ b/extraconfig/tasks/major_upgrade_pacemaker.yaml @@ -33,33 +33,6 @@ resources: # map_merge with input_values instead of feeding params into scripts # via str_replace on bash snippets - CephMonUpgradeConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - str_replace: - template: | - #!/bin/bash - ignore_ceph_upgrade_warnings='IGNORE_CEPH_UPGRADE_WARNINGS' - params: - IGNORE_CEPH_UPGRADE_WARNINGS: {get_param: IgnoreCephUpgradeWarnings} - - get_file: major_upgrade_ceph_mon.sh - - CephMonUpgradeDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, Controller]} - config: {get_resource: CephMonUpgradeConfig} - input_values: {get_param: input_values} - update_policy: - batch_create: - max_batch_size: 1 - rolling_update: - max_batch_size: 1 - ControllerPacemakerUpgradeConfig_Step1: type: OS::Heat::SoftwareConfig properties: @@ -86,30 +59,11 @@ resources: ControllerPacemakerUpgradeDeployment_Step1: type: OS::Heat::SoftwareDeploymentGroup - depends_on: CephMonUpgradeDeployment properties: servers: {get_param: [servers, Controller]} config: {get_resource: ControllerPacemakerUpgradeConfig_Step1} input_values: {get_param: input_values} - BlockStorageUpgradeConfig: - type: OS::Heat::SoftwareConfig - depends_on: ControllerPacemakerUpgradeDeployment_Step1 - properties: - group: script - config: - list_join: - - '' - - - get_file: pacemaker_common_functions.sh - - get_file: major_upgrade_block_storage.sh - - BlockStorageUpgradeDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, BlockStorage]} - config: {get_resource: BlockStorageUpgradeConfig} - input_values: {get_param: input_values} - ControllerPacemakerUpgradeConfig_Step2: type: OS::Heat::SoftwareConfig properties: @@ -136,7 +90,7 @@ resources: ControllerPacemakerUpgradeDeployment_Step2: type: OS::Heat::SoftwareDeploymentGroup - depends_on: BlockStorageUpgradeDeployment + depends_on: ControllerPacemakerUpgradeDeployment_Step1 properties: servers: {get_param: [servers, Controller]} config: {get_resource: ControllerPacemakerUpgradeConfig_Step2} diff --git a/extraconfig/tasks/major_upgrade_pacemaker_init.j2.yaml b/extraconfig/tasks/major_upgrade_pacemaker_init.j2.yaml deleted file mode 100644 index c308720b..00000000 --- a/extraconfig/tasks/major_upgrade_pacemaker_init.j2.yaml +++ /dev/null @@ -1,96 +0,0 @@ -heat_template_version: ocata -description: 'Upgrade for Pacemaker deployments' - -parameters: - - servers: - type: json - input_values: - type: json - description: input values for the software deployments - - UpgradeInitCommand: - type: string - description: | - Command or script snippet to run on all overcloud nodes to - initialize the upgrade process. E.g. a repository switch. - default: '' - UpgradeLevelNovaCompute: - type: string - description: Nova Compute upgrade level - default: '' - -resources: - - # For the UpgradeInit also rename /etc/resolv.conf.save for +bug/1567004 - - UpgradeInitConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - "#!/bin/bash\n\n" - - "if [[ -f /etc/resolv.conf.save ]] ; then rm /etc/resolv.conf.save; fi\n\n" - - get_param: UpgradeInitCommand - - # TODO(jistr): for Mitaka->Newton upgrades and further we can use - # map_merge with input_values instead of feeding params into scripts - # via str_replace on bash snippets - - # FIXME(shardy) we have hard-coded per-role *ScriptConfig's here - # Would be better to have a common config for all roles - ComputeDeliverUpgradeScriptConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - str_replace: - template: | - #!/bin/bash - upgrade_level_nova_compute='UPGRADE_LEVEL_NOVA_COMPUTE' - params: - UPGRADE_LEVEL_NOVA_COMPUTE: {get_param: UpgradeLevelNovaCompute} - - get_file: pacemaker_common_functions.sh - - get_file: major_upgrade_compute.sh - - ObjectStorageDeliverUpgradeScriptConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - get_file: pacemaker_common_functions.sh - - get_file: major_upgrade_object_storage.sh - - CephStorageDeliverUpgradeScriptConfig: - type: OS::Heat::SoftwareConfig - properties: - group: script - config: - list_join: - - '' - - - get_file: pacemaker_common_functions.sh - - get_file: major_upgrade_ceph_storage.sh - -{% for role in roles %} - UpgradeInit{{role.name}}Deployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: UpgradeInitConfig} - input_values: {get_param: input_values} - - {% if not role.name in ['Controller', 'BlockStorage'] %} - {{role.name}}DeliverUpgradeScriptDeployment: - type: OS::Heat::SoftwareDeploymentGroup - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}DeliverUpgradeScriptConfig} - input_values: {get_param: input_values} - {% endif %} -{% endfor %} diff --git a/extraconfig/tasks/tripleo_upgrade_node.sh b/extraconfig/tasks/tripleo_upgrade_node.sh new file mode 100644 index 00000000..27ba33a8 --- /dev/null +++ b/extraconfig/tasks/tripleo_upgrade_node.sh @@ -0,0 +1,54 @@ +#!/bin/bash +# +# This delivers the operator driven upgrade script to be invoked as part of +# the tripleo major upgrade workflow. The utility 'upgrade-non-controller.sh' +# is used from the undercloud to invoke the /root/tripleo_upgrade_node.sh +# +set -eu + +UPGRADE_SCRIPT=/root/tripleo_upgrade_node.sh + +cat > $UPGRADE_SCRIPT << ENDOFCAT +### DO NOT MODIFY THIS FILE +### This file is automatically delivered to those nodes where the +### disable_upgrade_deployment flag is set in roles_data.yaml. + +set -eu +NOVA_COMPUTE="" +if systemctl show 'openstack-nova-compute' --property ActiveState | grep '\bactive\b'; then + NOVA_COMPUTE="true" +fi + +DEBUG="true" +SCRIPT_NAME=$(basename $0) +$(declare -f log_debug) +$(declare -f manage_systemd_service) +$(declare -f systemctl_swift) + +# pin nova messaging +-1 for the nova-compute service +if [[ -n \$NOVA_COMPUTE ]]; then + crudini --set /etc/nova/nova.conf upgrade_levels compute auto +fi + +$(declare -f special_case_ovs_upgrade_if_needed) +special_case_ovs_upgrade_if_needed + +yum -y install python-zaqarclient # needed for os-collect-config +systemctl_swift stop +yum -y update +systemctl_swift start + +# Due to bug#1640177 we need to restart compute agent +if [[ -n \$NOVA_COMPUTE ]]; then + echo "Restarting openstack ceilometer agent compute" + systemctl restart openstack-ceilometer-compute +fi + +# Apply puppet manifest to converge just right after the \$ROLE upgrade +puppet apply /root/${ROLE}_puppet_config.pp + +ENDOFCAT + +# ensure the permissions are OK +chmod 0755 $UPGRADE_SCRIPT + diff --git a/extraconfig/tasks/yum_update.sh b/extraconfig/tasks/yum_update.sh index 74af7b02..c66dd01f 100755 --- a/extraconfig/tasks/yum_update.sh +++ b/extraconfig/tasks/yum_update.sh @@ -10,6 +10,11 @@ echo "Started yum_update.sh on server $deploy_server_id at `date`" echo -n "false" > $heat_outputs_path.update_managed_packages +if [ -f /.dockerenv ]; then + echo "Not running due to running inside a container" + exit 0 +fi + if [[ -z "$update_identifier" ]]; then echo "Not running due to unset update_identifier" exit 0 @@ -42,7 +47,7 @@ if [[ "$list_updates" == "" ]]; then exit 0 fi -pacemaker_status=$(systemctl is-active pacemaker) +pacemaker_status=$(systemctl is-active pacemaker || :) # Fix the redis/rabbit resource start/stop timeouts. See https://bugs.launchpad.net/tripleo/+bug/1633455 # and https://bugs.launchpad.net/tripleo/+bug/1634851 diff --git a/firstboot/install_vrouter_kmod.yaml b/firstboot/install_vrouter_kmod.yaml new file mode 100644 index 00000000..e936e605 --- /dev/null +++ b/firstboot/install_vrouter_kmod.yaml @@ -0,0 +1,105 @@ +heat_template_version: ocata + +parameters: + ContrailRepo: + type: string + default: http://192.168.24.1/contrail + VrouterPhysicalInterface: + default: 'eth0' + description: vRouter physical interface + type: string + +description: > + Prepares vhost0 interface to be used by os-net-config + +resources: + userdata: + type: OS::Heat::MultipartMime + properties: + parts: + - config: {get_resource: vrouter_module_config} + + vrouter_module_config: + type: OS::Heat::SoftwareConfig + properties: + config: + str_replace: + template: | + #!/bin/bash + sed -i '/\[main\]/a \ \ \ \ \parser = future' /etc/puppet/puppet.conf + cat <<EOF > /etc/yum.repos.d/contrail.repo + [Contrail] + name=Contrail Repo + baseurl=$contrail_repo + enabled=1 + gpgcheck=0 + protect=1 + EOF + if [[ `hostname |awk -F"-" '{print $2}'` == "novacompute" || `hostname |awk -F"-" '{print $2}'` == "contrailtsn" ]]; then + yum install -y contrail-vrouter-utils + function pkt_setup () { + for f in /sys/class/net/$1/queues/rx-* + do + q="$(echo $f | cut -d '-' -f2)" + r=$(($q%32)) + s=$(($q/32)) + ((mask=1<<$r)) + str=(`printf "%x" $mask`) + if [ $s -gt 0 ]; then + for ((i=0; i < $s; i++)) + do + str+=,00000000 + done + fi + echo $str > $f/rps_cpus + done + ifconfig $1 up + } + function insert_vrouter() { + insmod /tmp/vrouter.ko + if [ -f /sys/class/net/pkt1/queues/rx-0/rps_cpus ]; then + pkt_setup pkt1 + fi + if [ -f /sys/class/net/pkt2/queues/rx-0/rps_cpus ]; then + pkt_setup pkt2 + fi + if [ -f /sys/class/net/pkt3/queues/rx-0/rps_cpus ]; then + pkt_setup pkt3 + fi + DEV_MAC=$(cat /sys/class/net/$phy_int/address) + vif --create vhost0 --mac $DEV_MAC + vif --add $phy_int --mac $DEV_MAC --vrf 0 --vhost-phys --type physical + vif --add vhost0 --mac $DEV_MAC --vrf 0 --type vhost --xconnect $phy_int + ip link set vhost0 up + return 0 + } + yumdownloader contrail-vrouter --destdir /tmp + cd /tmp + rpm2cpio /tmp/contrail-vrouter*.rpm | cpio -idmv + cp `find /tmp/lib/modules -name vrouter.ko |tail -1` /tmp + insert_vrouter + if [[ `ifconfig $dev |grep "inet "` ]]; then + def_gw='' + if [[ `ip route show |grep default|grep $dev` ]]; then + def_gw=`ip route show |grep default|grep $dev|awk '{print $3}'` + fi + ip=`ifconfig $dev |grep "inet "|awk '{print $2}'` + mask=`ifconfig $dev |grep "inet "|awk '{print $4}'` + ip address delete $ip/$mask dev $dev + ip address add $ip/$mask dev vhost0 + if [[ $def_gw ]]; then + ip route add default via $def_gw + fi + fi + fi + params: + $phy_int: {get_param: VrouterPhysicalInterface} + $contrail_repo: {get_param: ContrailRepo} + +outputs: + # This means get_resource from the parent template will get the userdata, see: + # http://docs.openstack.org/developer/heat/template_guide/composition.html#making-your-template-resource-more-transparent + # Note this is new-for-kilo, an alternative is returning a value then using + # get_attr in the parent template instead. + OS::stack_id: + value: {get_resource: userdata} diff --git a/network/endpoints/build_endpoint_map.py b/network/endpoints/build_endpoint_map.py index 7e8088be..990cbabc 100755 --- a/network/endpoints/build_endpoint_map.py +++ b/network/endpoints/build_endpoint_map.py @@ -280,8 +280,9 @@ def main(): try: if options.check: if not check_up_to_date(options.output_file, options.input_file): - print('EndpointMap template does not match input data', - file=sys.stderr) + print('EndpointMap template does not match input data. Please ' + 'run the build_endpoint_map.py tool to update the ' + 'template.', file=sys.stderr) sys.exit(2) else: build_endpoint_map(options.output_file, options.input_file) diff --git a/network/endpoints/endpoint_data.yaml b/network/endpoints/endpoint_data.yaml index 5a7bdda9..277bd676 100644 --- a/network/endpoints/endpoint_data.yaml +++ b/network/endpoints/endpoint_data.yaml @@ -28,6 +28,96 @@ Ceilometer: net_param: CeilometerApi port: 8777 +ContrailConfig: + Internal: + net_param: ContrailConfig + Public: + net_param: Public + Admin: + net_param: ContrailConfig + port: 8082 + +ContrailDiscovery: + Internal: + net_param: ContrailConfig + Public: + net_param: Public + Admin: + net_param: ContrailConfig + port: 5998 + +ContrailAnalyticsCollectorHttp: + Internal: + net_param: ContrailAnalytics + Public: + net_param: Public + Admin: + net_param: ContrailAnalytics + port: 8089 + +ContrailAnalyticsApi: + Internal: + net_param: ContrailAnalytics + Public: + net_param: Public + Admin: + net_param: ContrailAnalytics + port: 8081 + +ContrailAnalyticsHttp: + Internal: + net_param: ContrailAnalytics + Public: + net_param: Public + Admin: + net_param: ContrailAnalytics + port: 8090 + +ContrailAnalyticsCollectorSandesh: + Internal: + net_param: ContrailAnalytics + Public: + net_param: Public + Admin: + net_param: ContrailAnalytics + port: 8086 + +ContrailAnalyticsRedis: + Internal: + net_param: ContrailAnalytics + Public: + net_param: Public + Admin: + net_param: ContrailAnalytics + port: 6379 + +ContrailWebuiHttp: + Internal: + net_param: ContrailConfig + Public: + net_param: Public + Admin: + net_param: ContrailConfig + port: 8080 + +ContrailWebuiHttps: + Internal: + net_param: ContrailConfig + Public: + net_param: Public + Admin: + net_param: ContrailConfig + port: 8143 + +Ec2Api: + Internal: + net_param: Ec2Api + Public: + net_param: Public + Admin: + net_param: Ec2Api + port: 8788 + Gnocchi: Internal: net_param: GnocchiApi @@ -67,6 +157,15 @@ Cinder: V3: /v3/%(tenant_id)s port: 8776 +Congress: + Internal: + net_param: CongressApi + Public: + net_param: Public + Admin: + net_param: CongressApi + port: 1789 + Glance: Internal: net_param: GlanceApi @@ -272,6 +371,15 @@ Sahara: '': /v1.1/%(tenant_id)s port: 8386 +Tacker: + Internal: + net_param: TackerApi + Public: + net_param: Public + Admin: + net_param: TackerApi + port: 9890 + Ironic: Internal: net_param: IronicApi @@ -305,3 +413,12 @@ ZaqarWebSocket: net_param: ZaqarApi port: 9000 protocol: ws + +Octavia: + Internal: + net_param: OctaviaApi + Public: + net_param: Public + Admin: + net_param: OctaviaApi + port: 9876 diff --git a/network/endpoints/endpoint_map.yaml b/network/endpoints/endpoint_map.yaml index 8ce62484..fecac0af 100644 --- a/network/endpoints/endpoint_map.yaml +++ b/network/endpoints/endpoint_map.yaml @@ -34,6 +34,45 @@ parameters: CinderAdmin: {protocol: http, port: '8776', host: IP_ADDRESS} CinderInternal: {protocol: http, port: '8776', host: IP_ADDRESS} CinderPublic: {protocol: http, port: '8776', host: IP_ADDRESS} + CongressAdmin: {protocol: http, port: '1789', host: IP_ADDRESS} + CongressInternal: {protocol: http, port: '1789', host: IP_ADDRESS} + CongressPublic: {protocol: http, port: '1789', host: IP_ADDRESS} + ContrailAnalyticsApiAdmin: {protocol: http, port: '8081', host: IP_ADDRESS} + ContrailAnalyticsApiInternal: {protocol: http, port: '8081', host: IP_ADDRESS} + ContrailAnalyticsApiPublic: {protocol: http, port: '8081', host: IP_ADDRESS} + ContrailAnalyticsCollectorHttpAdmin: {protocol: http, port: '8089', + host: IP_ADDRESS} + ContrailAnalyticsCollectorHttpInternal: {protocol: http, port: '8089', + host: IP_ADDRESS} + ContrailAnalyticsCollectorHttpPublic: {protocol: http, port: '8089', + host: IP_ADDRESS} + ContrailAnalyticsCollectorSandeshAdmin: {protocol: http, port: '8086', + host: IP_ADDRESS} + ContrailAnalyticsCollectorSandeshInternal: {protocol: http, port: '8086', + host: IP_ADDRESS} + ContrailAnalyticsCollectorSandeshPublic: {protocol: http, port: '8086', + host: IP_ADDRESS} + ContrailAnalyticsHttpAdmin: {protocol: http, port: '8090', host: IP_ADDRESS} + ContrailAnalyticsHttpInternal: {protocol: http, port: '8090', host: IP_ADDRESS} + ContrailAnalyticsHttpPublic: {protocol: http, port: '8090', host: IP_ADDRESS} + ContrailAnalyticsRedisAdmin: {protocol: http, port: '6379', host: IP_ADDRESS} + ContrailAnalyticsRedisInternal: {protocol: http, port: '6379', host: IP_ADDRESS} + ContrailAnalyticsRedisPublic: {protocol: http, port: '6379', host: IP_ADDRESS} + ContrailConfigAdmin: {protocol: http, port: '8082', host: IP_ADDRESS} + ContrailConfigInternal: {protocol: http, port: '8082', host: IP_ADDRESS} + ContrailConfigPublic: {protocol: http, port: '8082', host: IP_ADDRESS} + ContrailDiscoveryAdmin: {protocol: http, port: '5998', host: IP_ADDRESS} + ContrailDiscoveryInternal: {protocol: http, port: '5998', host: IP_ADDRESS} + ContrailDiscoveryPublic: {protocol: http, port: '5998', host: IP_ADDRESS} + ContrailWebuiHttpAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} + ContrailWebuiHttpInternal: {protocol: http, port: '8080', host: IP_ADDRESS} + ContrailWebuiHttpPublic: {protocol: http, port: '8080', host: IP_ADDRESS} + ContrailWebuiHttpsAdmin: {protocol: http, port: '8143', host: IP_ADDRESS} + ContrailWebuiHttpsInternal: {protocol: http, port: '8143', host: IP_ADDRESS} + ContrailWebuiHttpsPublic: {protocol: http, port: '8143', host: IP_ADDRESS} + Ec2ApiAdmin: {protocol: http, port: '8788', host: IP_ADDRESS} + Ec2ApiInternal: {protocol: http, port: '8788', host: IP_ADDRESS} + Ec2ApiPublic: {protocol: http, port: '8788', host: IP_ADDRESS} GlanceAdmin: {protocol: http, port: '9292', host: IP_ADDRESS} GlanceInternal: {protocol: http, port: '9292', host: IP_ADDRESS} GlancePublic: {protocol: http, port: '9292', host: IP_ADDRESS} @@ -72,6 +111,9 @@ parameters: NovaVNCProxyAdmin: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyInternal: {protocol: http, port: '6080', host: IP_ADDRESS} NovaVNCProxyPublic: {protocol: http, port: '6080', host: IP_ADDRESS} + OctaviaAdmin: {protocol: http, port: '9876', host: IP_ADDRESS} + OctaviaInternal: {protocol: http, port: '9876', host: IP_ADDRESS} + OctaviaPublic: {protocol: http, port: '9876', host: IP_ADDRESS} PankoAdmin: {protocol: http, port: '8779', host: IP_ADDRESS} PankoInternal: {protocol: http, port: '8779', host: IP_ADDRESS} PankoPublic: {protocol: http, port: '8779', host: IP_ADDRESS} @@ -81,6 +123,9 @@ parameters: SwiftAdmin: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftInternal: {protocol: http, port: '8080', host: IP_ADDRESS} SwiftPublic: {protocol: http, port: '8080', host: IP_ADDRESS} + TackerAdmin: {protocol: http, port: '9890', host: IP_ADDRESS} + TackerInternal: {protocol: http, port: '9890', host: IP_ADDRESS} + TackerPublic: {protocol: http, port: '9890', host: IP_ADDRESS} ZaqarAdmin: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarInternal: {protocol: http, port: '8888', host: IP_ADDRESS} ZaqarPublic: {protocol: http, port: '8888', host: IP_ADDRESS} @@ -1810,6 +1855,2775 @@ outputs: template: NETWORK_uri - ':' - get_param: [EndpointMap, CinderPublic, port] + CongressAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, CongressAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, CongressApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, CongressAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, CongressApiNetwork] + port: + get_param: [EndpointMap, CongressAdmin, port] + protocol: + get_param: [EndpointMap, CongressAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, CongressAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, CongressAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, CongressApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, CongressAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, CongressAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, CongressAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, CongressApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, CongressAdmin, port] + CongressInternal: + host: + str_replace: + template: + get_param: [EndpointMap, CongressInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, CongressApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, CongressInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, CongressApiNetwork] + port: + get_param: [EndpointMap, CongressInternal, port] + protocol: + get_param: [EndpointMap, CongressInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, CongressInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, CongressInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, CongressApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, CongressInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, CongressInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, CongressInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, CongressApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, CongressApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, CongressInternal, port] + CongressPublic: + host: + str_replace: + template: + get_param: [EndpointMap, CongressPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, CongressPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, CongressPublic, port] + protocol: + get_param: [EndpointMap, CongressPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, CongressPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, CongressPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, CongressPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, CongressPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, CongressPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, CongressPublic, port] + ContrailAnalyticsApiAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsApiAdmin, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsApiAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsApiAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsApiAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsApiAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsApiAdmin, port] + ContrailAnalyticsApiInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsApiInternal, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsApiInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsApiInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsApiInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsApiInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsApiInternal, port] + ContrailAnalyticsApiPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsApiPublic, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsApiPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsApiPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsApiPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsApiPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsApiPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsApiPublic, port] + ContrailAnalyticsCollectorHttpAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpAdmin, + port] + ContrailAnalyticsCollectorHttpInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, + port] + ContrailAnalyticsCollectorHttpPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorHttpPublic, + port] + ContrailAnalyticsCollectorSandeshAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshAdmin, + port] + ContrailAnalyticsCollectorSandeshInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, + port] + ContrailAnalyticsCollectorSandeshPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshPublic, + port] + ContrailAnalyticsHttpAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsHttpAdmin, port] + ContrailAnalyticsHttpInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsHttpInternal, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsHttpInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsHttpInternal, + port] + ContrailAnalyticsHttpPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsHttpPublic, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsHttpPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsHttpPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsHttpPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsHttpPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsHttpPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsHttpPublic, port] + ContrailAnalyticsRedisAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsRedisAdmin, port] + ContrailAnalyticsRedisInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsRedisInternal, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsRedisInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailAnalyticsNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsRedisInternal, + port] + ContrailAnalyticsRedisPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailAnalyticsRedisPublic, port] + protocol: + get_param: [EndpointMap, ContrailAnalyticsRedisPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsRedisPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsRedisPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailAnalyticsRedisPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailAnalyticsRedisPublic, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailAnalyticsRedisPublic, port] + ContrailConfigAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailConfigAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailConfigAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailConfigAdmin, port] + protocol: + get_param: [EndpointMap, ContrailConfigAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailConfigAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailConfigAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailConfigAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailConfigAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailConfigAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailConfigAdmin, port] + ContrailConfigInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailConfigInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailConfigInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailConfigInternal, port] + protocol: + get_param: [EndpointMap, ContrailConfigInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailConfigInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailConfigInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailConfigInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailConfigInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailConfigInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailConfigInternal, port] + ContrailConfigPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailConfigPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailConfigPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailConfigPublic, port] + protocol: + get_param: [EndpointMap, ContrailConfigPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailConfigPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailConfigPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailConfigPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailConfigPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailConfigPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailConfigPublic, port] + ContrailDiscoveryAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailDiscoveryAdmin, port] + protocol: + get_param: [EndpointMap, ContrailDiscoveryAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailDiscoveryAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailDiscoveryAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailDiscoveryAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailDiscoveryAdmin, port] + ContrailDiscoveryInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailDiscoveryInternal, port] + protocol: + get_param: [EndpointMap, ContrailDiscoveryInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailDiscoveryInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailDiscoveryInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailDiscoveryInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailDiscoveryInternal, port] + ContrailDiscoveryPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailDiscoveryPublic, port] + protocol: + get_param: [EndpointMap, ContrailDiscoveryPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailDiscoveryPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailDiscoveryPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailDiscoveryPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailDiscoveryPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailDiscoveryPublic, port] + ContrailWebuiHttpAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailWebuiHttpAdmin, port] + protocol: + get_param: [EndpointMap, ContrailWebuiHttpAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpAdmin, port] + ContrailWebuiHttpInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailWebuiHttpInternal, port] + protocol: + get_param: [EndpointMap, ContrailWebuiHttpInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpInternal, port] + ContrailWebuiHttpPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailWebuiHttpPublic, port] + protocol: + get_param: [EndpointMap, ContrailWebuiHttpPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpPublic, port] + ContrailWebuiHttpsAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailWebuiHttpsAdmin, port] + protocol: + get_param: [EndpointMap, ContrailWebuiHttpsAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpsAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpsAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpsAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpsAdmin, port] + ContrailWebuiHttpsInternal: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, ContrailConfigNetwork] + port: + get_param: [EndpointMap, ContrailWebuiHttpsInternal, port] + protocol: + get_param: [EndpointMap, ContrailWebuiHttpsInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpsInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpsInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpsInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsInternal, + host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, ContrailConfigNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, ContrailConfigNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpsInternal, port] + ContrailWebuiHttpsPublic: + host: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, ContrailWebuiHttpsPublic, port] + protocol: + get_param: [EndpointMap, ContrailWebuiHttpsPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpsPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpsPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, ContrailWebuiHttpsPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, ContrailWebuiHttpsPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, ContrailWebuiHttpsPublic, port] + Ec2ApiAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, Ec2ApiNetwork] + port: + get_param: [EndpointMap, Ec2ApiAdmin, port] + protocol: + get_param: [EndpointMap, Ec2ApiAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiAdmin, port] + Ec2ApiInternal: + host: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, Ec2ApiNetwork] + port: + get_param: [EndpointMap, Ec2ApiInternal, port] + protocol: + get_param: [EndpointMap, Ec2ApiInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, Ec2ApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, Ec2ApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiInternal, port] + Ec2ApiPublic: + host: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, Ec2ApiPublic, port] + protocol: + get_param: [EndpointMap, Ec2ApiPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, Ec2ApiPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, Ec2ApiPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, Ec2ApiPublic, port] GlanceAdmin: host: str_replace: @@ -5487,6 +8301,249 @@ outputs: template: NETWORK_uri - ':' - get_param: [EndpointMap, NovaVNCProxyPublic, port] + OctaviaAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, OctaviaApiNetwork] + port: + get_param: [EndpointMap, OctaviaAdmin, port] + protocol: + get_param: [EndpointMap, OctaviaAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaAdmin, port] + OctaviaInternal: + host: + str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, OctaviaApiNetwork] + port: + get_param: [EndpointMap, OctaviaInternal, port] + protocol: + get_param: [EndpointMap, OctaviaInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, OctaviaApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, OctaviaApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaInternal, port] + OctaviaPublic: + host: + str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, OctaviaPublic, port] + protocol: + get_param: [EndpointMap, OctaviaPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, OctaviaPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, OctaviaPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, OctaviaPublic, port] PankoAdmin: host: str_replace: @@ -6464,6 +9521,249 @@ outputs: template: NETWORK_uri - ':' - get_param: [EndpointMap, SwiftPublic, port] + TackerAdmin: + host: + str_replace: + template: + get_param: [EndpointMap, TackerAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, TackerApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, TackerAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, TackerApiNetwork] + port: + get_param: [EndpointMap, TackerAdmin, port] + protocol: + get_param: [EndpointMap, TackerAdmin, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, TackerAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, TackerAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, TackerApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, TackerAdmin, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, TackerAdmin, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, TackerAdmin, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, TackerApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, TackerAdmin, port] + TackerInternal: + host: + str_replace: + template: + get_param: [EndpointMap, TackerInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, TackerApiNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, TackerInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, TackerApiNetwork] + port: + get_param: [EndpointMap, TackerInternal, port] + protocol: + get_param: [EndpointMap, TackerInternal, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, TackerInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, TackerInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, TackerApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, TackerInternal, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, TackerInternal, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, TackerInternal, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, TackerApiNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, TackerApiNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, TackerInternal, port] + TackerPublic: + host: + str_replace: + template: + get_param: [EndpointMap, TackerPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + host_nobrackets: + str_replace: + template: + get_param: [EndpointMap, TackerPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - get_param: [ServiceNetMap, PublicNetwork] + port: + get_param: [EndpointMap, TackerPublic, port] + protocol: + get_param: [EndpointMap, TackerPublic, protocol] + uri: + list_join: + - '' + - - get_param: [EndpointMap, TackerPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, TackerPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, TackerPublic, port] + uri_no_suffix: + list_join: + - '' + - - get_param: [EndpointMap, TackerPublic, protocol] + - :// + - str_replace: + template: + get_param: [EndpointMap, TackerPublic, host] + params: + CLOUDNAME: + get_param: + - CloudEndpoints + - get_param: [ServiceNetMap, PublicNetwork] + IP_ADDRESS: + get_param: + - NetIpMap + - str_replace: + params: + NETWORK: + get_param: [ServiceNetMap, PublicNetwork] + template: NETWORK_uri + - ':' + - get_param: [EndpointMap, TackerPublic, port] ZaqarAdmin: host: str_replace: diff --git a/network/service_net_map.j2.yaml b/network/service_net_map.j2.yaml index c363ab8a..a1042ebb 100644 --- a/network/service_net_map.j2.yaml +++ b/network/service_net_map.j2.yaml @@ -21,9 +21,19 @@ parameters: # snake_case - the names must still match when converted ServiceNetMapDefaults: default: + # Note the values in this map are replaced by *NetName + # to allow for sane defaults when the network names are + # overridden. ApacheNetwork: internal_api NeutronTenantNetwork: tenant CeilometerApiNetwork: internal_api + ContrailAnalyticsNetwork: internal_api + ContrailAnalyticsDatabaseNetwork: internal_api + ContrailConfigNetwork: internal_api + ContrailControlNetwork: internal_api + ContrailDatabaseNetwork: internal_api + ContrailWebuiNetwork: internal_api + ContrailTsnNetwork: internal_api AodhApiNetwork: internal_api PankoApiNetwork: internal_api BarbicanApiNetwork: internal_api @@ -31,6 +41,7 @@ parameters: MongodbNetwork: internal_api CinderApiNetwork: internal_api CinderIscsiNetwork: storage + CongressApiNetwork: internal_api GlanceApiNetwork: storage IronicApiNetwork: ctlplane IronicNetwork: ctlplane @@ -38,6 +49,7 @@ parameters: KeystonePublicApiNetwork: internal_api ManilaApiNetwork: internal_api NeutronApiNetwork: internal_api + OctaviaApiNetwork: internal_api HeatApiNetwork: internal_api HeatApiCfnNetwork: internal_api HeatApiCloudwatchNetwork: internal_api @@ -45,6 +57,10 @@ parameters: NovaPlacementNetwork: internal_api NovaMetadataNetwork: internal_api NovaVncProxyNetwork: internal_api + NovaLibvirtNetwork: internal_api + Ec2ApiNetwork: internal_api + Ec2ApiMetadataNetwork: internal_api + TackerApiNetwork: internal_api SwiftStorageNetwork: storage_mgmt SwiftProxyNetwork: storage SaharaApiNetwork: internal_api @@ -61,6 +77,7 @@ parameters: OvnDbsNetwork: internal_api MistralApiNetwork: internal_api ZaqarApiNetwork: internal_api + PacemakerRemoteNetwork: internal_api # We special-case the default ResolveNetwork for the CephStorage role # for backwards compatibility, all other roles default to internal_api CephStorageHostnameResolveNetwork: storage @@ -84,20 +101,62 @@ parameters: internal use only, this will be removed in future. type: json + InternalApiNetName: + default: internal_api + description: The name of the internal API network. + type: string + ExternalNetName: + default: external + description: The name of the external network. + type: string + ManagementNetName: + default: management + description: The name of the management network. + type: string + StorageNetName: + default: storage + description: The name of the storage network. + type: string + StorageMgmtNetName: + default: storage_mgmt + description: The name of the Storage management network. + type: string + TenantNetName: + default: tenant + description: The name of the tenant network. + type: string + + parameter_groups: - label: deprecated description: Do not use deprecated params, they will be removed. parameters: - ServiceNetMapDeprecatedMapping +resources: + ServiceNetMapValue: + type: OS::Heat::Value + properties: + type: json + value: + map_merge: + - map_replace: + - {get_param: ServiceNetMapDefaults} + - values: + external: {get_param: ExternalNetName} + internal_api: {get_param: InternalApiNetName} + storage: {get_param: StorageNetName} + storage_mgmt: {get_param: StorageMgmtNetName} + tenant: {get_param: TenantNetName} + management: {get_param: ManagementNetName} + - map_replace: + - {get_param: ServiceNetMap} + - keys: {get_param: ServiceNetMapDeprecatedMapping} + + outputs: service_net_map: - value: - map_merge: - - {get_param: ServiceNetMapDefaults} - - map_replace: - - {get_param: ServiceNetMap} - - keys: {get_param: ServiceNetMapDeprecatedMapping} + value: {get_attr: [ServiceNetMapValue, value]} service_net_map_lower: value: @@ -107,9 +166,4 @@ outputs: yaql: expression: dict($.data.map.items().select([ regex(`([a-z0-9])([A-Z])`).replace($[0], '\\1_\\2').toLower(), $[1]])) data: - map: - map_merge: - - {get_param: ServiceNetMapDefaults} - - map_replace: - - {get_param: ServiceNetMap} - - keys: {get_param: ServiceNetMapDeprecatedMapping} + map: {get_attr: [ServiceNetMapValue, value]} diff --git a/overcloud-resource-registry-puppet.j2.yaml b/overcloud-resource-registry-puppet.j2.yaml index e111a1a6..a6b32ddb 100644 --- a/overcloud-resource-registry-puppet.j2.yaml +++ b/overcloud-resource-registry-puppet.j2.yaml @@ -2,6 +2,7 @@ resource_registry: OS::TripleO::SoftwareDeployment: OS::Heat::StructuredDeployment OS::TripleO::PostDeploySteps: puppet/post.yaml + OS::TripleO::PostUpgradeSteps: puppet/post.yaml OS::TripleO::AllNodes::SoftwareConfig: puppet/all-nodes-config.yaml OS::TripleO::Hosts::SoftwareConfig: hosts-config.yaml OS::TripleO::DefaultPasswords: default_passwords.yaml @@ -110,7 +111,6 @@ resource_registry: # Upgrade resources OS::TripleO::UpgradeConfig: puppet/upgrade_config.yaml - OS::TripleO::UpgradeSteps: OS::Heat::None # services OS::TripleO::Services: puppet/services/services.yaml @@ -119,6 +119,7 @@ resource_registry: OS::TripleO::Services::CACerts: puppet/services/ca-certs.yaml OS::TripleO::Services::CephMds: OS::Heat::None OS::TripleO::Services::CephMon: OS::Heat::None + OS::TripleO::Services::CephRbdMirror: OS::Heat::None OS::TripleO::Services::CephRgw: OS::Heat::None OS::TripleO::Services::CephOSD: OS::Heat::None OS::TripleO::Services::CephClient: OS::Heat::None @@ -128,8 +129,10 @@ resource_registry: OS::TripleO::Services::CinderScheduler: puppet/services/cinder-scheduler.yaml OS::TripleO::Services::CinderVolume: puppet/services/cinder-volume.yaml OS::TripleO::Services::BlockStorageCinderVolume: puppet/services/cinder-volume.yaml + OS::TripleO::Services::Congress: OS::Heat::None OS::TripleO::Services::Keystone: puppet/services/keystone.yaml OS::TripleO::Services::GlanceApi: puppet/services/glance-api.yaml + OS::TripleO::Services::GlanceRegistry: puppet/services/disabled/glance-registry.yaml OS::TripleO::Services::HeatApi: puppet/services/heat-api.yaml OS::TripleO::Services::HeatApiCfn: puppet/services/heat-api-cfn.yaml OS::TripleO::Services::HeatApiCloudwatch: puppet/services/heat-api-cloudwatch.yaml @@ -152,13 +155,13 @@ resource_registry: OS::TripleO::Services::NeutronCorePluginML2OVN: puppet/services/neutron-plugin-ml2-ovn.yaml OS::TripleO::Services::NeutronCorePluginPlumgrid: puppet/services/neutron-plugin-plumgrid.yaml OS::TripleO::Services::NeutronCorePluginNuage: puppet/services/neutron-plugin-nuage.yaml - OS::TripleO::Services::NeutronCorePluginOpencontrail: puppet/services/neutron-plugin-opencontrail.yaml OS::TripleO::Services::OVNDBs: OS::Heat::None OS::TripleO::Services::NeutronCorePluginMidonet: puppet/services/neutron-midonet.yaml OS::TripleO::Services::NeutronOvsAgent: puppet/services/neutron-ovs-agent.yaml OS::TripleO::Services::ComputeNeutronOvsAgent: puppet/services/neutron-ovs-agent.yaml OS::TripleO::Services::Pacemaker: OS::Heat::None + OS::TripleO::Services::PacemakerRemote: OS::Heat::None OS::TripleO::Services::NeutronSriovAgent: OS::Heat::None OS::TripleO::Services::RabbitMQ: puppet/services/rabbitmq.yaml OS::TripleO::Services::HAproxy: puppet/services/haproxy.yaml @@ -168,6 +171,7 @@ resource_registry: OS::TripleO::Services::Memcached: puppet/services/memcached.yaml OS::TripleO::Services::SaharaApi: OS::Heat::None OS::TripleO::Services::SaharaEngine: OS::Heat::None + OS::TripleO::Services::Sshd: OS::Heat::None OS::TripleO::Services::Redis: puppet/services/database/redis.yaml OS::TripleO::Services::NovaConductor: puppet/services/nova-conductor.yaml OS::TripleO::Services::MongoDb: puppet/services/database/mongodb.yaml @@ -184,6 +188,7 @@ resource_registry: OS::TripleO::Services::SwiftStorage: puppet/services/swift-storage.yaml OS::TripleO::Services::SwiftRingBuilder: puppet/services/swift-ringbuilder.yaml OS::TripleO::Services::Snmp: puppet/services/snmp.yaml + OS::TripleO::Services::Tacker: OS::Heat::None OS::TripleO::Services::Timezone: puppet/services/time/timezone.yaml OS::TripleO::Services::CeilometerApi: puppet/services/ceilometer-api.yaml OS::TripleO::Services::CeilometerCollector: puppet/services/ceilometer-collector.yaml @@ -198,6 +203,7 @@ resource_registry: OS::TripleO::Services::GnocchiStatsd: puppet/services/gnocchi-statsd.yaml # Services that are disabled by default (use relevant environment files): OS::TripleO::Services::FluentdClient: OS::Heat::None + OS::TripleO::Services::Collectd: OS::Heat::None OS::TripleO::LoggingConfiguration: puppet/services/logging/fluentd-config.yaml OS::TripleO::Services::ManilaApi: OS::Heat::None OS::TripleO::Services::ManilaScheduler: OS::Heat::None @@ -224,15 +230,18 @@ resource_registry: OS::TripleO::Services::OpenDaylightApi: OS::Heat::None OS::TripleO::Services::OpenDaylightOvs: OS::Heat::None OS::TripleO::Services::SensuClient: OS::Heat::None - OS::TripleO::Services::ContrailAnalytics: puppet/services/network/contrail-analytics.yaml - OS::TripleO::Services::ContrailConfig: puppet/services/network/contrail-config.yaml - OS::TripleO::Services::ContrailControl: puppet/services/network/contrail-control.yaml - OS::TripleO::Services::ContrailDatabase: puppet/services/network/contrail-database.yaml - OS::TripleO::Services::ContrailWebui: puppet/services/network/contrail-webui.yaml + OS::TripleO::Services::TLSProxyBase: OS::Heat::None OS::TripleO::Services::Zaqar: OS::Heat::None OS::TripleO::Services::NeutronML2FujitsuCfab: OS::Heat::None + OS::TripleO::Services::NeutronML2FujitsuFossw: OS::Heat::None OS::TripleO::Services::CinderHPELeftHandISCSI: OS::Heat::None OS::TripleO::Services::Etcd: OS::Heat::None + OS::TripleO::Services::Ec2Api: OS::Heat::None + OS::TripleO::Services::AuditD: OS::Heat::None + OS::TripleO::Services::OctaviaApi: OS::Heat::None + OS::TripleO::Services::OctaviaHealthManager: OS::Heat::None + OS::TripleO::Services::OctaviaHousekeeping: OS::Heat::None + OS::TripleO::Services::OctaviaWorker: OS::Heat::None parameter_defaults: EnablePackageInstall: false diff --git a/overcloud.j2.yaml b/overcloud.j2.yaml index f93c19a3..5b2ca4a2 100644 --- a/overcloud.j2.yaml +++ b/overcloud.j2.yaml @@ -598,9 +598,9 @@ resources: {{role.name}}: {get_attr: [{{role.name}}, attributes, nova_server_resource]} {% endfor %} - # Upgrade steps for all roles - AllNodesUpgradeSteps: - type: OS::TripleO::UpgradeSteps + # Post deployment steps for all roles + AllNodesDeploySteps: + type: OS::TripleO::PostDeploySteps depends_on: {% for role in roles %} - {{role.name}}AllNodesDeployment @@ -610,20 +610,7 @@ resources: {% for role in roles %} {{role.name}}: {get_attr: [{{role.name}}, attributes, nova_server_resource]} {% endfor %} - role_data: -{% for role in roles %} - {{role.name}}: {get_attr: [{{role.name}}ServiceChain, role_data]} -{% endfor %} - - # Post deployment steps for all roles - AllNodesDeploySteps: - type: OS::TripleO::PostDeploySteps - depends_on: AllNodesUpgradeSteps - properties: - servers: -{% for role in roles %} - {{role.name}}: {get_attr: [{{role.name}}, attributes, nova_server_resource]} -{% endfor %} + EndpointMap: {get_attr: [EndpointMap, endpoint_map]} role_data: {% for role in roles %} {{role.name}}: {get_attr: [{{role.name}}ServiceChain, role_data]} diff --git a/puppet/controller-role.yaml b/puppet/controller-role.yaml index 9e35af5f..d3268ee2 100644 --- a/puppet/controller-role.yaml +++ b/puppet/controller-role.yaml @@ -458,9 +458,7 @@ resources: - all_nodes # provided by allNodesConfig - vip_data # provided by allNodesConfig - '"%{::osfamily}"' - - cinder_dellsc_data # Optionally provided by ControllerExtraConfigPre - cinder_netapp_data # Optionally provided by ControllerExtraConfigPre - - cinder_eqlx_data # Optionally provided by ControllerExtraConfigPre - neutron_bigswitch_data # Optionally provided by ControllerExtraConfigPre - neutron_cisco_data # Optionally provided by ControllerExtraConfigPre - cisco_n1kv_data # Optionally provided by ControllerExtraConfigPre diff --git a/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml b/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml index cb8d498c..9b900bc4 100644 --- a/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml +++ b/puppet/extraconfig/all_nodes/neutron-ml2-cisco-nexus-ucsm.yaml @@ -245,7 +245,9 @@ resources: for map_name in mappings: f_name = '/root/' + map_name map_data = os.getenv(map_name, "Nada") - with open(f_name, 'a') as f: + with os.fdopen(os.open(f_name, + os.O_CREAT | os.O_TRUNC | os.O_WRONLY, 0o644), + 'w') as f: f.write(map_data) if map_data is not "Nada": if map_name is not 'nexus_config': @@ -260,7 +262,9 @@ resources: for mac in vals[1:]: mac2host[mac.lower()] = vals[0] - with open('/root/mac2host', 'a') as f: + with os.fdopen(os.open('/root/mac2host', + os.O_CREAT | os.O_TRUNC | os.O_WRONLY, 0o644), + 'w') as f: f.write(str(mac2host)) # now we have mac to host, map host to switchport in hieradata diff --git a/puppet/extraconfig/pre_deploy/compute/neutron-opencontrail.yaml b/puppet/extraconfig/pre_deploy/compute/neutron-opencontrail.yaml deleted file mode 100644 index 66252f1f..00000000 --- a/puppet/extraconfig/pre_deploy/compute/neutron-opencontrail.yaml +++ /dev/null @@ -1,59 +0,0 @@ -heat_template_version: ocata - -description: Compute node hieradata for Neutron OpenContrail configuration - -parameters: - server: - description: ID of the compute node to apply this config to - type: string - ContrailApiServerIp: - description: IP address of the OpenContrail API server - type: string - ContrailApiServerPort: - description: Port of the OpenContrail API - type: string - default: 8082 - -resources: - ComputeContrailConfig: - type: OS::Heat::StructuredConfig - properties: - group: os-apply-config - config: - hiera: - datafiles: - neutron_opencontrail_data: - mapped_data: - nova::network::neutron::network_api_class: nova.network.neutronv2.api.API - - contrail::vrouter::provision_vrouter::api_address: {get_input: contrail_api_server_ip} - contrail::vrouter::provision_vrouter::api_port: {get_input: contrail_api_server_port} - contrail::vrouter::provision_vrouter::keystone_admin_user: admin - contrail::vrouter::provision_vrouter::keystone_admin_tenant_name: admin - contrail::vrouter::provision_vrouter::keystone_admin_password: '"%{::admin_password}"' - - contrail::vnc_api::vnc_api_config: - 'auth/AUTHN_TYPE': - value: keystone - 'auth/AUTHN_PROTOCOL': - value: http - 'auth/AUTHN_SERVER': - value: "%{hiera('keystone_admin_api_vip')}" - 'auth/AUTHN_PORT': - value: 35357 - 'auth/AUTHN_URL': - value: '/v2.0/tokens' - - ComputeContrailDeployment: - type: OS::Heat::StructuredDeployment - properties: - config: {get_resource: ComputeContrailConfig} - server: {get_param: server} - input_values: - contrail_api_server_ip: {get_param: ContrailApiServerIp} - contrail_api_server_port: {get_param: ContrailApiServerPort} - -outputs: - deploy_stdout: - description: Output of the extra hiera data deployment - value: {get_attr: [ComputeContrailDeployment, deploy_stdout]} diff --git a/puppet/extraconfig/pre_deploy/controller/cinder-dellsc.yaml b/puppet/extraconfig/pre_deploy/controller/cinder-dellsc.yaml deleted file mode 100644 index 7d639883..00000000 --- a/puppet/extraconfig/pre_deploy/controller/cinder-dellsc.yaml +++ /dev/null @@ -1,87 +0,0 @@ -heat_template_version: ocata - -description: Configure hieradata for Cinder Dell Storage Center configuration - -parameters: - server: - description: ID of the controller node to apply this config to - type: string - - # Config specific parameters, to be provided via parameter_defaults - CinderEnableDellScBackend: - type: boolean - default: true - CinderDellScBackendName: - type: string - default: 'tripleo_dellsc' - CinderDellScSanIp: - type: string - CinderDellScSanLogin: - type: string - default: 'Admin' - CinderDellScSanPassword: - type: string - hidden: true - CinderDellScSsn: - type: string - default: '64702' - CinderDellScIscsiIpAddress: - type: string - default: '' - CinderDellScIscsiPort: - type: string - default: '3260' - CinderDellScApiPort: - type: string - default: '3033' - CinderDellScServerFolder: - type: string - default: 'dellsc_server' - CinderDellScVolumeFolder: - type: string - default: 'dellsc_volume' - -resources: - CinderDellScConfig: - type: OS::Heat::StructuredConfig - properties: - group: os-apply-config - config: - hiera: - datafiles: - cinder_dellsc_data: - mapped_data: - tripleo::profile::base::cinder::volume::cinder_enable_dellsc_backend: {get_input: EnableDellScBackend} - cinder::backend::dellsc_iscsi::volume_backend_name: {get_input: DellScBackendName} - cinder::backend::dellsc_iscsi::san_ip: {get_input: DellScSanIp} - cinder::backend::dellsc_iscsi::san_login: {get_input: DellScSanLogin} - cinder::backend::dellsc_iscsi::san_password: {get_input: DellScSanPassword} - cinder::backend::dellsc_iscsi::dell_sc_ssn: {get_input: DellScSsn} - cinder::backend::dellsc_iscsi::iscsi_ip_address: {get_input: DellScIscsiIpAddress} - cinder::backend::dellsc_iscsi::iscsi_port: {get_input: DellScIscsiPort} - cinder::backend::dellsc_iscsi::dell_sc_api_port: {get_input: DellScApiPort} - cinder::backend::dellsc_iscsi::dell_sc_server_folder: {get_input: DellScServerFolder} - cinder::backend::dellsc_iscsi::dell_sc_volume_folder: {get_input: DellScVolumeFolder} - - CinderDellScDeployment: - type: OS::Heat::StructuredDeployment - properties: - config: {get_resource: CinderDellScConfig} - server: {get_param: server} - input_values: - EnableDellScBackend: {get_param: CinderEnableDellScBackend} - DellScBackendName: {get_param: CinderDellScBackendName} - DellScSanIp: {get_param: CinderDellScSanIp} - DellScSanLogin: {get_param: CinderDellScSanLogin} - DellScSanPassword: {get_param: CinderDellScSanPassword} - DellScSsn: {get_param: CinderDellScSsn} - DellScIscsiIpAddress: {get_param: CinderDellScIscsiIpAddress} - DellScIscsiPort: {get_param: CinderDellScIscsiPort} - DellScApiPort: {get_param: CinderDellScApiPort} - DellScServerFolder: {get_param: CinderDellScServerFolder} - DellScVolumeFolder: {get_param: CinderDellScVolumeFolder} - -outputs: - deploy_stdout: - description: Deployment reference, used to trigger puppet apply on changes - value: {get_attr: [CinderDellScDeployment, deploy_stdout]} diff --git a/puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml b/puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml deleted file mode 100644 index 30509044..00000000 --- a/puppet/extraconfig/pre_deploy/controller/cinder-eqlx.yaml +++ /dev/null @@ -1,86 +0,0 @@ -heat_template_version: ocata - -description: Configure hieradata for Cinder Eqlx configuration - -parameters: - server: - description: ID of the controller node to apply this config to - type: string - - # Config specific parameters, to be provided via parameter_defaults - CinderEnableEqlxBackend: - type: boolean - default: true - CinderEqlxBackendName: - type: string - default: 'tripleo_eqlx' - CinderEqlxSanIp: - type: string - CinderEqlxSanLogin: - type: string - CinderEqlxSanPassword: - type: string - hidden: true - CinderEqlxSanThinProvision: - type: boolean - default: true - CinderEqlxGroupname: - type: string - default: 'group-0' - CinderEqlxPool: - type: string - default: 'default' - CinderEqlxChapLogin: - type: string - default: '' - CinderEqlxChapPassword: - type: string - default: '' - CinderEqlxUseChap: - type: boolean - default: false - -resources: - CinderEqlxConfig: - type: OS::Heat::StructuredConfig - properties: - group: os-apply-config - config: - hiera: - datafiles: - cinder_eqlx_data: - mapped_data: - tripleo::profile::base::cinder::volume::cinder_enable_eqlx_backend: {get_input: EnableEqlxBackend} - cinder::backend::eqlx::volume_backend_name: {get_input: EqlxBackendName} - cinder::backend::eqlx::san_ip: {get_input: EqlxSanIp} - cinder::backend::eqlx::san_login: {get_input: EqlxSanLogin} - cinder::backend::eqlx::san_password: {get_input: EqlxSanPassword} - cinder::backend::eqlx::san_thin_provision: {get_input: EqlxSanThinProvision} - cinder::backend::eqlx::eqlx_group_name: {get_input: EqlxGroupname} - cinder::backend::eqlx::eqlx_pool: {get_input: EqlxPool} - cinder::backend::eqlx::eqlx_use_chap: {get_input: EqlxUseChap} - cinder::backend::eqlx::eqlx_chap_login: {get_input: EqlxChapLogin} - cinder::backend::eqlx::eqlx_chap_password: {get_input: EqlxChapPassword} - - CinderEqlxDeployment: - type: OS::Heat::StructuredDeployment - properties: - config: {get_resource: CinderEqlxConfig} - server: {get_param: server} - input_values: - EnableEqlxBackend: {get_param: CinderEnableEqlxBackend} - EqlxBackendName: {get_param: CinderEqlxBackendName} - EqlxSanIp: {get_param: CinderEqlxSanIp} - EqlxSanLogin: {get_param: CinderEqlxSanLogin} - EqlxSanPassword: {get_param: CinderEqlxSanPassword} - EqlxSanThinProvision: {get_param: CinderEqlxSanThinProvision} - EqlxGroupname: {get_param: CinderEqlxGroupname} - EqlxPool: {get_param: CinderEqlxPool} - EqlxUseChap: {get_param: CinderEqlxUseChap} - EqlxChapLogin: {get_param: CinderEqlxChapLogin} - EqlxChapPassword: {get_param: CinderEqlxChapPassword} - -outputs: - deploy_stdout: - description: Deployment reference, used to trigger puppet apply on changes - value: {get_attr: [CinderEqlxDeployment, deploy_stdout]} diff --git a/puppet/major_upgrade_steps.j2.yaml b/puppet/major_upgrade_steps.j2.yaml index 9430a704..3362a01f 100644 --- a/puppet/major_upgrade_steps.j2.yaml +++ b/puppet/major_upgrade_steps.j2.yaml @@ -1,3 +1,7 @@ +{% set enabled_roles = roles|rejectattr('disable_upgrade_deployment')|list -%} +{% set batch_upgrade_steps_max = 3 -%} +{% set upgrade_steps_max = 6 -%} +{% set deliver_script = {'deliver': False} -%} heat_template_version: ocata description: 'Upgrade steps for all roles' @@ -14,38 +18,192 @@ parameters: description: > Setting to a previously unused value during stack-update will trigger the Upgrade resources to re-run on all roles. + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + NovaPassword: + description: The password for the nova service and db account, used by nova-api. + type: string + hidden: true + +conditions: + # Conditions to disable any steps where the task list is empty +{%- for role in roles %} + {{role.name}}UpgradeBatchConfigEnabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + - [] + {{role.name}}UpgradeConfigEnabled: + not: + equals: + - {get_param: [role_data, {{role.name}}, upgrade_tasks]} + - [] +{%- endfor %} resources: +{% for role in roles if role.disable_upgrade_deployment|default(false) %} + {{role.name}}DeliverUpgradeScriptConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: + list_join: + - '' + - - "#!/bin/bash\n\n" + - "set -eu\n\n" + - "if hiera -c /etc/puppet/hiera.yaml service_names | grep nova_compute ; then\n\n" + - " crudini --set /etc/nova/nova.conf placement auth_type password\n\n" + - " crudini --set /etc/nova/nova.conf placement username placement\n\n" + - " crudini --set /etc/nova/nova.conf placement project_domain_name Default\n\n" + - " crudini --set /etc/nova/nova.conf placement user_domain_name Default\n\n" + - " crudini --set /etc/nova/nova.conf placement project_name service\n\n" + - " systemctl restart openstack-nova-compute\n\n" + - "fi\n\n" + - str_replace: + template: | + crudini --set /etc/nova/nova.conf placement password 'SERVICE_PASSWORD' + crudini --set /etc/nova/nova.conf placement region_name 'REGION_NAME' + crudini --set /etc/nova/nova.conf placement auth_url 'AUTH_URL' + ROLE='ROLE_NAME' + params: + SERVICE_PASSWORD: { get_param: NovaPassword } + REGION_NAME: { get_param: KeystoneRegion } + AUTH_URL: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ROLE_NAME: {{role.name}} + - get_file: ../extraconfig/tasks/pacemaker_common_functions.sh + - get_file: ../extraconfig/tasks/tripleo_upgrade_node.sh + + {{role.name}}DeliverUpgradeScriptDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}DeliverUpgradeScriptConfig} +{% endfor %} + +# Upgrade Steps for all roles, batched updates +# The UpgradeConfig resources could actually be created without +# serialization, but the event output is easier to follow if we +# do, and there should be minimal performance hit (creating the +# config is cheap compared to the time to apply the deployment). +{% for step in range(0, batch_upgrade_steps_max) %} + # Batch config resources step {{step}} + {%- for role in roles %} + {{role.name}}UpgradeBatchConfig_Step{{step}}: + type: OS::TripleO::UpgradeConfig + {%- if step > 0 %} + condition: {{role.name}}UpgradeBatchConfigEnabled + {% if role.name in enabled_roles %} + depends_on: + - {{role.name}}UpgradeBatch_Step{{step -1}} + {%- endif %} + {% else %} + {% for role in roles if role.disable_upgrade_deployment|default(false) %} + {% if deliver_script.update({'deliver': True}) %} {% endif %} + {% endfor %} + {% if deliver_script.deliver %} + depends_on: + {% endif %} + {% for dep in roles if dep.disable_upgrade_deployment|default(false) %} + - {{dep.name}}DeliverUpgradeScriptDeployment + {% endfor %} + {% endif %} + properties: + UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_batch_tasks]} + step: {{step}} + {%- endfor %} + + # Batch deployment resources for step {{step}} (only for enabled roles) + {%- for role in enabled_roles %} + {{role.name}}UpgradeBatch_Step{{step}}: + type: OS::Heat::SoftwareDeploymentGroup + condition: {{role.name}}UpgradeBatchConfigEnabled + {%- if step > 0 %} + depends_on: + - {{role.name}}UpgradeBatch_Step{{step -1}} + {% else %} + depends_on: + - {{role.name}}UpgradeBatchConfig_Step{{step}} + {%- endif %} + update_policy: + batch_create: + max_batch_size: {{role.upgrade_batch_size|default(1)}} + rolling_update: + max_batch_size: {{role.upgrade_batch_size|default(1)}} + properties: + name: {{role.name}}UpgradeBatch_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}UpgradeBatchConfig_Step{{step}}} + input_values: + role: {{role.name}} + update_identifier: {get_param: UpdateIdentifier} + {%- endfor %} +{%- endfor %} + +# Dump the puppet manifests to be apply later when disable_upgrade_deployment +# is to true +{% for role in roles if role.disable_upgrade_deployment|default(false) %} + {{role.name}}DeliverPuppetConfig: + type: OS::Heat::SoftwareConfig + properties: + group: script + config: + list_join: + - '' + - - str_replace: + template: | + #!/bin/bash + cat > /root/{{role.name}}_puppet_config.pp << ENDOFCAT + PUPPET_CLASSES + ENDOFCAT + params: + PUPPET_CLASSES: {get_param: [role_data, {{role.name}}, step_config]} + + {{role.name}}DeliverPuppetDeployment: + type: OS::Heat::SoftwareDeploymentGroup + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}DeliverPuppetConfig} +{% endfor %} + # Upgrade Steps for all roles -# FIXME(shardy): would be nice to make the number of steps configurable -{% for step in range(0, 8) %} - {% for role in roles %} - # Step {{step}} resources +{%- for step in range(0, upgrade_steps_max) %} + # Config resources for step {{step}} + {%- for role in roles %} {{role.name}}UpgradeConfig_Step{{step}}: type: OS::TripleO::UpgradeConfig # The UpgradeConfig resources could actually be created without # serialization, but the event output is easier to follow if we # do, and there should be minimal performance hit (creating the # config is cheap compared to the time to apply the deployment). - {% if step > 0 %} + {%- if step > 0 %} + condition: {{role.name}}UpgradeConfigEnabled + {% if role.name in enabled_roles %} depends_on: - {% for dep in roles %} - - {{dep.name}}Upgrade_Step{{step -1}} - {% endfor %} - {% endif %} + - {{role.name}}Upgrade_Step{{step -1}} + {% endif %} + {%- endif %} properties: UpgradeStepConfig: {get_param: [role_data, {{role.name}}, upgrade_tasks]} step: {{step}} + {%- endfor %} + # Deployment resources for step {{step}} (only for enabled roles) + {%- for role in enabled_roles %} {{role.name}}Upgrade_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - {% if step > 0 %} + type: OS::Heat::SoftwareDeploymentGroup + {%- if step > 0 %} + condition: {{role.name}}UpgradeConfigEnabled depends_on: - {% for dep in roles %} - - {{dep.name}}Upgrade_Step{{step -1}} - {% endfor %} - {% endif %} + - {{role.name}}Upgrade_Step{{step -1}} + {%- endif %} properties: name: {{role.name}}Upgrade_Step{{step}} servers: {get_param: [servers, {{role.name}}]} @@ -53,8 +211,21 @@ resources: input_values: role: {{role.name}} update_identifier: {get_param: UpdateIdentifier} - {% endfor %} -{% endfor %} + {%- endfor %} +{%- endfor %} + + # Post upgrade deployment steps for all roles + # This runs the normal configuration (e.g puppet) steps unless upgrade + # is disabled for the role + AllNodesPostUpgradeSteps: + type: OS::TripleO::PostUpgradeSteps + depends_on: +{%- for dep in enabled_roles %} + - {{dep.name}}Upgrade_Step{{upgrade_steps_max - 1}} +{%- endfor %} + properties: + servers: {get_param: servers} + role_data: {get_param: role_data} outputs: # Output the config for each role, just use Step1 as the config should be @@ -65,4 +236,3 @@ outputs: {% for role in roles %} {{role.name.lower()}}: {get_attr: [{{role.name}}UpgradeConfig_Step1, upgrade_config]} {% endfor %} - diff --git a/puppet/post-upgrade.j2.yaml b/puppet/post-upgrade.j2.yaml new file mode 100644 index 00000000..b84039de --- /dev/null +++ b/puppet/post-upgrade.j2.yaml @@ -0,0 +1,27 @@ +heat_template_version: ocata + +description: > + Post-upgrade configuration steps via puppet for all roles + where upgrade is not disabled as defined in ../roles_data.yaml + +parameters: + servers: + type: json + description: Mapping of Role name e.g Controller to a list of servers + + role_data: + type: json + description: Mapping of Role name e.g Controller to the per-role data + + DeployIdentifier: + default: '' + type: string + description: > + Setting this to a unique value will re-run any deployment tasks which + perform configuration on a Heat stack-update. + +resources: +# Note the include here is the same as post.j2.yaml but the data used at +# the time of rendering is different if any roles disable upgrades +{% set roles = roles|rejectattr('disable_upgrade_deployment')|list -%} +{% include 'puppet-steps.j2' %} diff --git a/puppet/post.j2.yaml b/puppet/post.j2.yaml index 2a02ea19..21202775 100644 --- a/puppet/post.j2.yaml +++ b/puppet/post.j2.yaml @@ -12,7 +12,11 @@ parameters: role_data: type: json description: Mapping of Role name e.g Controller to the per-role data - + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json DeployIdentifier: default: '' type: string @@ -21,97 +25,4 @@ parameters: perform configuration on a Heat stack-update. resources: - -{% for role in roles %} - # Post deployment steps for all roles - # A single config is re-applied with an incrementing step number - # {{role.name}} Role steps - {{role.name}}ArtifactsConfig: - type: deploy-artifacts.yaml - - {{role.name}}ArtifactsDeploy: - type: OS::Heat::StructuredDeployments - properties: - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}ArtifactsConfig} - - {{role.name}}PreConfig: - type: OS::TripleO::Tasks::{{role.name}}PreConfig - properties: - servers: {get_param: [servers, {{role.name}}]} - input_values: - update_identifier: {get_param: DeployIdentifier} - - {{role.name}}Config: - type: OS::TripleO::{{role.name}}Config - properties: - StepConfig: {get_param: [role_data, {{role.name}}, step_config]} - - {% if role.name == 'Controller' %} - ControllerPrePuppet: - type: OS::TripleO::Tasks::ControllerPrePuppet - properties: - servers: {get_param: [servers, Controller]} - input_values: - update_identifier: {get_param: DeployIdentifier} - {% endif %} - - # Step through a series of configuration steps -{% for step in range(1, 6) %} - {% for role in roles %} - - {{role.name}}Deployment_Step{{step}}: - type: OS::Heat::StructuredDeploymentGroup - {% if step == 1 %} - depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] - {% else %} - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step{{step -1}} - {% endfor %} - {% endif %} - properties: - name: {{role.name}}Deployment_Step{{step}} - servers: {get_param: [servers, {{role.name}}]} - config: {get_resource: {{role.name}}Config} - input_values: - step: {{step}} - update_identifier: {get_param: DeployIdentifier} - - {% endfor %} -{% endfor %} - - {{role.name}}PostConfig: - type: OS::TripleO::Tasks::{{role.name}}PostConfig - depends_on: - {% for dep in roles %} - - {{dep.name}}Deployment_Step5 - {% endfor %} - properties: - servers: {get_param: servers} - input_values: - update_identifier: {get_param: DeployIdentifier} - - # Note, this should come last, so use depends_on to ensure - # this is created after any other resources. - {{role.name}}ExtraConfigPost: - depends_on: - {% for dep in roles %} - - {{dep.name}}PostConfig - {% endfor %} - type: OS::TripleO::NodeExtraConfigPost - properties: - servers: {get_param: [servers, {{role.name}}]} - - {% if role.name == 'Controller' %} - ControllerPostPuppet: - depends_on: - - ControllerExtraConfigPost - type: OS::TripleO::Tasks::ControllerPostPuppet - properties: - servers: {get_param: [servers, Controller]} - input_values: - update_identifier: {get_param: DeployIdentifier} - {% endif %} - -{% endfor %} +{% include 'puppet-steps.j2' %} diff --git a/puppet/puppet-steps.j2 b/puppet/puppet-steps.j2 new file mode 100644 index 00000000..c3b54ccd --- /dev/null +++ b/puppet/puppet-steps.j2 @@ -0,0 +1,88 @@ + # Post deployment steps for all roles + # A single config is re-applied with an incrementing step number +{% for role in roles %} + # {{role.name}} Role post-deploy steps + {{role.name}}ArtifactsConfig: + type: deploy-artifacts.yaml + + {{role.name}}ArtifactsDeploy: + type: OS::Heat::StructuredDeployments + properties: + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}ArtifactsConfig} + + {{role.name}}PreConfig: + type: OS::TripleO::Tasks::{{role.name}}PreConfig + properties: + servers: {get_param: [servers, {{role.name}}]} + input_values: + update_identifier: {get_param: DeployIdentifier} + + {{role.name}}Config: + type: OS::TripleO::{{role.name}}Config + properties: + StepConfig: {get_param: [role_data, {{role.name}}, step_config]} + + {% if role.name == 'Controller' %} + ControllerPrePuppet: + type: OS::TripleO::Tasks::ControllerPrePuppet + properties: + servers: {get_param: [servers, Controller]} + input_values: + update_identifier: {get_param: DeployIdentifier} + {% endif %} + + # Step through a series of configuration steps +{% for step in range(1, 6) %} + {{role.name}}Deployment_Step{{step}}: + type: OS::Heat::StructuredDeploymentGroup + {% if step == 1 %} + depends_on: [{{role.name}}PreConfig, {{role.name}}ArtifactsDeploy] + {% else %} + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step{{step -1}} + {% endfor %} + {% endif %} + properties: + name: {{role.name}}Deployment_Step{{step}} + servers: {get_param: [servers, {{role.name}}]} + config: {get_resource: {{role.name}}Config} + input_values: + step: {{step}} + update_identifier: {get_param: DeployIdentifier} +{% endfor %} + + {{role.name}}PostConfig: + type: OS::TripleO::Tasks::{{role.name}}PostConfig + depends_on: + {% for dep in roles %} + - {{dep.name}}Deployment_Step5 + {% endfor %} + properties: + servers: {get_param: servers} + input_values: + update_identifier: {get_param: DeployIdentifier} + + # Note, this should come last, so use depends_on to ensure + # this is created after any other resources. + {{role.name}}ExtraConfigPost: + depends_on: + {% for dep in roles %} + - {{dep.name}}PostConfig + {% endfor %} + type: OS::TripleO::NodeExtraConfigPost + properties: + servers: {get_param: [servers, {{role.name}}]} + + {% if role.name == 'Controller' %} + ControllerPostPuppet: + depends_on: + - ControllerExtraConfigPost + type: OS::TripleO::Tasks::ControllerPostPuppet + properties: + servers: {get_param: [servers, Controller]} + input_values: + update_identifier: {get_param: DeployIdentifier} + {% endif %} +{% endfor %} diff --git a/puppet/services/README.rst b/puppet/services/README.rst index 6e4e9c1d..9c2d8c5c 100644 --- a/puppet/services/README.rst +++ b/puppet/services/README.rst @@ -49,6 +49,32 @@ are re-asserted when applying latter ones. 5) Service activation (Pacemaker) +Batch Upgrade Steps +------------------- + +Each service template may optionally define a `upgrade_batch_tasks` key, which +is a list of ansible tasks to be performed during the upgrade process. + +Similar to the step_config, we allow a series of steps for the per-service +upgrade sequence, defined as ansible tasks with a tag e.g "step1" for the first +step, "step2" for the second, etc (currently only two steps are supported, but +more may be added when required as additional services get converted to batched +upgrades). + +Note that each step is performed in batches, then we move on to the next step +which is also performed in batches (we don't perform all steps on one node, +then move on to the next one which means you can sequence rolling upgrades of +dependent services via the step value). + +The tasks performed at each step is service specific, but note that all batch +upgrade steps are performed before the `upgrade_tasks` described below. This +means that all services that support rolling upgrades can be upgraded without +downtime during `upgrade_batch_tasks`, then any remaining services are stopped +and upgraded during `upgrade_tasks` + +The default batch size is 1, but this can be overridden for each role via the +`upgrade_batch_size` option in roles_data.yaml + Upgrade Steps ------------- @@ -71,9 +97,9 @@ step, "step2" for the second, etc. 5) Perform any migration tasks, e.g DB sync commands - 6) Start control-plane services - - 7) Any additional online migration tasks (e.g data migrations) +Note that the services are not started in the upgrade tasks - we instead re-run +puppet which does any reconfiguration required for the new version, then starts +the services. Nova Server Metadata Settings ----------------------------- diff --git a/puppet/services/aodh-api.yaml b/puppet/services/aodh-api.yaml index 4e735b45..4bd9fc47 100644 --- a/puppet/services/aodh-api.yaml +++ b/puppet/services/aodh-api.yaml @@ -83,3 +83,9 @@ outputs: get_attr: [AodhBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::aodh::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop aodh_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/aodh-base.yaml b/puppet/services/aodh-base.yaml index 8648a971..f5ca329e 100644 --- a/puppet/services/aodh-base.yaml +++ b/puppet/services/aodh-base.yaml @@ -80,7 +80,7 @@ outputs: aodh::keystone::authtoken::project_name: 'service' aodh::keystone::authtoken::password: {get_param: AodhPassword} aodh::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + aodh::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } aodh::auth::auth_password: {get_param: AodhPassword} aodh::auth::auth_region: 'regionOne' aodh::auth::auth_tenant_name: 'service' diff --git a/puppet/services/aodh-evaluator.yaml b/puppet/services/aodh-evaluator.yaml index 61f8c23f..56dbb558 100644 --- a/puppet/services/aodh-evaluator.yaml +++ b/puppet/services/aodh-evaluator.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::evaluator + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-evaluator is running" + shell: /usr/bin/systemctl show 'openstack-aodh-evaluator' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_evaluator service + tags: step2 + service: name=openstack-aodh-evaluator state=stopped diff --git a/puppet/services/aodh-listener.yaml b/puppet/services/aodh-listener.yaml index 715165b3..76db0ca8 100644 --- a/puppet/services/aodh-listener.yaml +++ b/puppet/services/aodh-listener.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::listener + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-listener is running" + shell: /usr/bin/systemctl show 'openstack-aodh-listener' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_listener service + tags: step2 + service: name=openstack-aodh-listener state=stopped diff --git a/puppet/services/aodh-notifier.yaml b/puppet/services/aodh-notifier.yaml index da85581b..30c67635 100644 --- a/puppet/services/aodh-notifier.yaml +++ b/puppet/services/aodh-notifier.yaml @@ -40,3 +40,10 @@ outputs: get_attr: [AodhBase, role_data, config_settings] step_config: | include tripleo::profile::base::aodh::notifier + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-aodh-notifier is running" + shell: /usr/bin/systemctl show 'openstack-aodh-notifier' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop aodh_notifier service + tags: step2 + service: name=openstack-aodh-notifier state=stopped diff --git a/puppet/services/apache-internal-tls-certmonger.yaml b/puppet/services/apache-internal-tls-certmonger.yaml index 07ec1b3c..4c21e02a 100644 --- a/puppet/services/apache-internal-tls-certmonger.yaml +++ b/puppet/services/apache-internal-tls-certmonger.yaml @@ -21,6 +21,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + ApacheNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the Apache role. @@ -38,13 +54,16 @@ outputs: hostname: "%{hiera('fqdn_NETWORK')}" principal: "HTTP/%{hiera('fqdn_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [ApacheNetworks, value]} + metadata_settings: + repeat: + template: + - service: HTTP + network: $NETWORK + type: node + for_each: + $NETWORK: {get_attr: [ApacheNetworks, value]} + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service httpd is running" + shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/apache.yaml b/puppet/services/apache.yaml index 2e95dcb0..74ddbde8 100644 --- a/puppet/services/apache.yaml +++ b/puppet/services/apache.yaml @@ -64,3 +64,9 @@ outputs: apache::mod::prefork::serverlimit: { get_param: ApacheServerLimit } apache::mod::remoteip::proxy_ips: - "%{hiera('apache_remote_proxy_ips_network')}" + metadata_settings: + get_attr: [ApacheTLS, role_data, metadata_settings] + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service httpd is running" + shell: /usr/bin/systemctl show 'httpd' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/auditd.yaml b/puppet/services/auditd.yaml new file mode 100644 index 00000000..639631e1 --- /dev/null +++ b/puppet/services/auditd.yaml @@ -0,0 +1,34 @@ +heat_template_version: ocata + +description: > + AuditD configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + AuditdRules: + description: Mapping of auditd rules + type: json + default: {} + +outputs: + role_data: + description: Role data for the auditd service + value: + service_name: auditd + config_settings: + auditd::rules: {get_param: AuditdRules} + step_config: | + include ::tripleo::profile::base::auditd diff --git a/puppet/services/barbican-api.yaml b/puppet/services/barbican-api.yaml index 000a744c..239b6ca9 100644 --- a/puppet/services/barbican-api.yaml +++ b/puppet/services/barbican-api.yaml @@ -75,7 +75,7 @@ outputs: - get_attr: [ApacheServiceBase, role_data, config_settings] - barbican::keystone::authtoken::password: {get_param: BarbicanPassword} barbican::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + barbican::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} barbican::keystone::authtoken::project_name: 'service' barbican::api::host_href: {get_param: [EndpointMap, BarbicanPublic, uri]} barbican::api::db_auto_create: false @@ -136,11 +136,17 @@ outputs: nova::compute::barbican_endpoint: get_param: [EndpointMap, BarbicanInternal, uri] nova::compute::barbican_auth_endpoint: - get_param: [EndpointMap, KeystoneV3Internal, uri] + get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] cinder_api: cinder::api::keymgr_api_class: > castellan.key_manager.barbican_key_manager.BarbicanKeyManager cinder::api::keymgr_encryption_api_url: get_param: [EndpointMap, BarbicanInternal, uri] cinder::api::keymgr_encryption_auth_url: - get_param: [EndpointMap, KeystoneV3Internal, uri] + get_param: [EndpointMap, KeystoneV3Internal, uri_no_suffix] + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-barbican-api is running" + shell: /usr/bin/systemctl show 'openstack-barbican-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation diff --git a/puppet/services/ceilometer-agent-central.yaml b/puppet/services/ceilometer-agent-central.yaml index b9d8966c..cf8a8a8e 100644 --- a/puppet/services/ceilometer-agent-central.yaml +++ b/puppet/services/ceilometer-agent-central.yaml @@ -54,3 +54,10 @@ outputs: - ceilometer_redis_password: {get_param: RedisPassword} step_config: | include ::tripleo::profile::base::ceilometer::agent::central + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-central is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-central' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_central service + tags: step2 + service: name=openstack-ceilometer-central state=stopped diff --git a/puppet/services/ceilometer-agent-compute.yaml b/puppet/services/ceilometer-agent-compute.yaml index b1d36c94..00042914 100644 --- a/puppet/services/ceilometer-agent-compute.yaml +++ b/puppet/services/ceilometer-agent-compute.yaml @@ -21,6 +21,12 @@ parameters: MonitoringSubscriptionCeilometerCompute: default: 'overcloud-ceilometer-agent-compute' type: string + InstanceDiscoveryMethod: + default: 'libvirt_metadata' + description: Method used to discover instances running on compute node + type: string + constraints: + - allowed_values: ['naive', 'libvirt_metadata', 'workload_partitioning'] resources: CeilometerServiceBase: @@ -37,6 +43,15 @@ outputs: service_name: ceilometer_agent_compute monitoring_subscription: {get_param: MonitoringSubscriptionCeilometerCompute} config_settings: - get_attr: [CeilometerServiceBase, role_data, config_settings] + map_merge: + - get_attr: [CeilometerServiceBase, role_data, config_settings] + - ceilometer::agent::compute::instance_discovery_method: {get_param: InstanceDiscoveryMethod} step_config: | include ::tripleo::profile::base::ceilometer::agent::compute + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-compute is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-compute' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_compute service + tags: step2 + service: name=openstack-ceilometer-compute state=stopped diff --git a/puppet/services/ceilometer-agent-notification.yaml b/puppet/services/ceilometer-agent-notification.yaml index 9c9a3bd9..760acd65 100644 --- a/puppet/services/ceilometer-agent-notification.yaml +++ b/puppet/services/ceilometer-agent-notification.yaml @@ -49,3 +49,10 @@ outputs: get_attr: [CeilometerServiceBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::ceilometer::agent::notification + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-notification is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-notification' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_agent_notification service + tags: step2 + service: name=openstack-ceilometer-notification state=stopped diff --git a/puppet/services/ceilometer-api.yaml b/puppet/services/ceilometer-api.yaml index 63e02d4f..741f8da1 100644 --- a/puppet/services/ceilometer-api.yaml +++ b/puppet/services/ceilometer-api.yaml @@ -90,3 +90,9 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop ceilometer_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/ceilometer-base.yaml b/puppet/services/ceilometer-base.yaml index a86a0cdf..5658e416 100644 --- a/puppet/services/ceilometer-base.yaml +++ b/puppet/services/ceilometer-base.yaml @@ -96,13 +96,12 @@ outputs: - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" ceilometer_backend: {get_param: CeilometerBackend} - ceilometer::metering_secret: {get_param: CeilometerMeteringSecret} # we include db_sync class in puppet-tripleo ceilometer::db::sync_db: false ceilometer::keystone::authtoken::project_name: 'service' ceilometer::keystone::authtoken::password: {get_param: CeilometerPassword} ceilometer::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + ceilometer::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::auth::auth_password: {get_param: CeilometerPassword} ceilometer::agent::auth::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } ceilometer::agent::notification::event_pipeline_publishers: {get_param: EventPipelinePublishers} diff --git a/puppet/services/ceilometer-collector.yaml b/puppet/services/ceilometer-collector.yaml index 88e7d781..a219f9eb 100644 --- a/puppet/services/ceilometer-collector.yaml +++ b/puppet/services/ceilometer-collector.yaml @@ -59,3 +59,10 @@ outputs: get_attr: [CeilometerServiceBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceilometer::collector + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-ceilometer-collector is running" + shell: /usr/bin/systemctl show 'openstack-ceilometer-collector' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop ceilometer_collector service + tags: step2 + service: name=openstack-ceilometer-collector state=stopped diff --git a/puppet/services/ceph-external.yaml b/puppet/services/ceph-external.yaml index aaa9b039..134f47c4 100644 --- a/puppet/services/ceph-external.yaml +++ b/puppet/services/ceph-external.yaml @@ -89,23 +89,23 @@ outputs: ceph::profile::params::fsid: {get_param: CephClusterFSID} ceph::profile::params::rbd_default_features: {get_param: RbdDefaultFeatures} ceph::profile::params::client_keys: - str_replace: - template: "{ - client.CLIENT_USER: { - secret: 'CLIENT_KEY', - mode: '0644', - cap_mon: 'allow r', - cap_osd: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' - } - }" - params: - CLIENT_USER: {get_param: CephClientUserName} - CLIENT_KEY: {get_param: CephClientKey} - NOVA_POOL: {get_param: NovaRbdPoolName} - CINDER_POOL: {get_param: CinderRbdPoolName} - CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} - GLANCE_POOL: {get_param: GlanceRbdPoolName} - GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + map_replace: + - CEPH_CLIENT_KEY: + secret: {get_param: CephClientKey} + mode: '0644' + cap_mon: 'allow r' + cap_osd: + str_replace: + template: 'allow class-read object_prefix rbd_children, allow rwx pool=CINDER_POOL, allow rwx pool=CINDERBACKUP_POOL, allow rwx pool=NOVA_POOL, allow rwx pool=GLANCE_POOL, allow rwx pool=GNOCCHI_POOL' + params: + NOVA_POOL: {get_param: NovaRbdPoolName} + CINDER_POOL: {get_param: CinderRbdPoolName} + CINDERBACKUP_POOL: {get_param: CinderBackupRbdPoolName} + GLANCE_POOL: {get_param: GlanceRbdPoolName} + GNOCCHI_POOL: {get_param: GnocchiRbdPoolName} + - keys: + CEPH_CLIENT_KEY: + list_join: ['.', ['client', {get_param: CephClientUserName}]] ceph::profile::params::manage_repo: false # FIXME(gfidente): we should not have to list the packages explicitly in # the templates, but this should stay until the following is fixed: diff --git a/puppet/services/ceph-mon.yaml b/puppet/services/ceph-mon.yaml index 68ad69b7..1ce58335 100644 --- a/puppet/services/ceph-mon.yaml +++ b/puppet/services/ceph-mon.yaml @@ -113,3 +113,27 @@ outputs: get_attr: [CephBase, role_data, service_config_settings] step_config: | include ::tripleo::profile::base::ceph::mon + upgrade_batch_tasks: + # Note we perform these tasks in list order, but they are all step0 so + # we can perform a rolling upgrade of all mon nodes in step0, then a + # rolling upgrade of all osd nodes in step1 + - name: Check status + tags: step0,validation + shell: ceph health | grep -qv HEALTH_ERR + # FIXME(shardy) I suspect we can use heat or ansible facts here instead? + - name: Get hostname + tags: step0 + shell: hostname -s + register: mon_id + - name: Stop Ceph Mon + tags: step0 + service: name=ceph-mon@{{mon_id.stdout}} pattern=ceph-mon state=stopped + - name: Update ceph packages + tags: step0 + yum: name=ceph-mon state=latest + - name: Start ceph-mon service + tags: step0 + service: name=ceph-mon@{{mon_id.stdout}} state=started + - name: ceph osd crush tunables default + tags: step0 + shell: ceph osd crush tunables default diff --git a/puppet/services/ceph-osd.yaml b/puppet/services/ceph-osd.yaml index df0ee6c3..9bd83aab 100644 --- a/puppet/services/ceph-osd.yaml +++ b/puppet/services/ceph-osd.yaml @@ -45,3 +45,47 @@ outputs: - '6800-7300' step_config: | include ::tripleo::profile::base::ceph::osd + upgrade_batch_tasks: + - name: Check status + tags: step1,validation + shell: ceph health | grep -qv HEALTH_ERR + - name: Get OSD IDs + tags: step1 + shell: ls /var/lib/ceph/osd | awk 'BEGIN { FS = "-" } ; { print $2 }' + register: osd_ids + # "so that mirrors aren't rebalanced as if the OSD died" - gfidente / leseb + - name: ceph osd set noout + tags: step1 + command: ceph osd set noout + - name: ceph osd set norebalance + tags: step1 + command: ceph osd set norebalance + - name: ceph osd set nodeep-scrub + tags: step1 + command: ceph osd set nodeep-scrub + - name: ceph osd set noscrub + tags: step1 + command: ceph osd set noscrub + - name: Stop Ceph OSD + tags: step1 + service: name=ceph-osd@{{ item }} state=stopped + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: Update ceph OSD packages + tags: step1 + yum: name=ceph-osd state=latest + - name: Start ceph-osd service + tags: step1 + service: name=ceph-osd@{{ item }} state=started + with_items: "{{osd_ids.stdout.strip().split()}}" + - name: ceph osd unset noout + tags: step1 + command: ceph osd unset noout + - name: ceph osd unset norebalance + tags: step1 + command: ceph osd unset norebalance + - name: ceph osd unset nodeep-scrub + tags: step1 + command: ceph osd unset nodeep-scrub + - name: ceph osd unset noscrub + tags: step1 + command: ceph osd unset noscrub diff --git a/puppet/services/ceph-rgw.yaml b/puppet/services/ceph-rgw.yaml index 6448387c..d7014e54 100644 --- a/puppet/services/ceph-rgw.yaml +++ b/puppet/services/ceph-rgw.yaml @@ -54,10 +54,14 @@ outputs: - get_attr: [CephBase, role_data, config_settings] - tripleo::profile::base::ceph::rgw::rgw_key: {get_param: CephRgwKey} tripleo::profile::base::ceph::rgw::keystone_admin_token: {get_param: AdminToken} - tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + tripleo::profile::base::ceph::rgw::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} tripleo::profile::base::ceph::rgw::civetweb_bind_ip: {get_param: [ServiceNetMap, CephRgwNetwork]} tripleo::profile::base::ceph::rgw::civetweb_bind_port: {get_param: [EndpointMap, CephRgwInternal, port]} - ceph::params::user_radosgw: ceph + tripleo::profile::base::ceph::rgw::rgw_keystone_version: v3 + ceph::profile::params::rgw_keystone_admin_domain: default + ceph::profile::params::rgw_keystone_admin_project: service + ceph::profile::params::rgw_keystone_admin_user: swift + ceph::profile::params::rgw_keystone_admin_password: {get_param: SwiftPassword} tripleo.ceph_rgw.firewall_rules: '122 ceph rgw': dport: {get_param: [EndpointMap, CephRgwInternal, port]} @@ -68,7 +72,19 @@ outputs: ceph::rgw::keystone::auth::public_url: {get_param: [EndpointMap, CephRgwPublic, uri]} ceph::rgw::keystone::auth::internal_url: {get_param: [EndpointMap, CephRgwInternal, uri]} ceph::rgw::keystone::auth::admin_url: {get_param: [EndpointMap, CephRgwAdmin, uri]} - ceph::rgw::keystone::auth::user: 'swift' - ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} ceph::rgw::keystone::auth::region: {get_param: KeystoneRegion} - ceph::rgw::keystone::auth::tenant: 'service' + ceph::rgw::keystone::auth::roles: [ 'admin', 'member', '_member_' ] + ceph::rgw::keystone::auth::tenant: service + ceph::rgw::keystone::auth::user: swift + ceph::rgw::keystone::auth::password: {get_param: SwiftPassword} + upgrade_tasks: + - name: Gather RGW instance ID + tags: step0 + shell: hiera -c /etc/puppet/hiera.yaml ceph::profile::params::rgw_name radosgw.gateway + register: rgw_id + - name: Check status + shell: /usr/bin/systemctl show ceph-radosgw@{{rgw_id.stdout}} --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop RGW instance + tags: step1 + service: name=ceph-radosgw@{{rgw_id.stdout}} state=stopped diff --git a/puppet/services/cinder-api.yaml b/puppet/services/cinder-api.yaml index 963ebd63..8c5a07ac 100644 --- a/puppet/services/cinder-api.yaml +++ b/puppet/services/cinder-api.yaml @@ -81,7 +81,7 @@ outputs: - get_attr: [CinderBase, role_data, config_settings] - get_attr: [ApacheServiceBase, role_data, config_settings] - cinder::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + cinder::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} cinder::keystone::authtoken::password: {get_param: CinderPassword} cinder::keystone::authtoken::project_name: 'service' cinder::api::enable_proxy_headers_parsing: true @@ -91,7 +91,6 @@ outputs: cinder::config: DEFAULT/swift_catalog_info: value: 'object-store:swift:internalURL' - cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} tripleo::profile::base::cinder::cinder_enable_db_purge: {get_param: CinderEnableDBPurge} tripleo.cinder_api.firewall_rules: '119 cinder': @@ -147,7 +146,12 @@ outputs: cinder::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-api is running" + shell: /usr/bin/systemctl show 'openstack-cinder-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: check for cinder running under apache (post upgrade) tags: step2 shell: "apachectl -t -D DUMP_VHOSTS | grep -q cinder" diff --git a/puppet/services/cinder-backend-dellps.yaml b/puppet/services/cinder-backend-dellps.yaml new file mode 100644 index 00000000..1f15c53e --- /dev/null +++ b/puppet/services/cinder-backend-dellps.yaml @@ -0,0 +1,85 @@ +# Copyright (c) 2017 Dell Inc. or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC PS Series backend + +parameters: + CinderEnableDellPsBackend: + type: boolean + default: true + CinderDellPsBackendName: + type: string + default: 'tripleo_dellps' + CinderDellPsSanIp: + type: string + CinderDellPsSanLogin: + type: string + CinderDellPsSanPassword: + type: string + hidden: true + CinderDellPsSanThinProvision: + type: boolean + default: true + CinderDellPsGroupname: + type: string + default: 'group-0' + CinderDellPsPool: + type: string + default: 'default' + CinderDellPsChapLogin: + type: string + default: '' + CinderDellPsChapPassword: + type: string + default: '' + CinderDellPsUseChap: + type: boolean + default: false + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC PS Series backend. + value: + service_name: cinder_backend_dellps + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_dellps_backend: {get_param: CinderEnableDellPsBackend} + cinder::backend::eqlx::volume_backend_name: {get_param: CinderDellPsBackendName} + cinder::backend::eqlx::san_ip: {get_param: CinderDellPsSanIp} + cinder::backend::eqlx::san_login: {get_param: CinderDellPsSanLogin} + cinder::backend::eqlx::san_password: {get_param: CinderDellPsSanPassword} + cinder::backend::eqlx::san_thin_provision: {get_param: CinderDellPsSanThinProvision} + cinder::backend::eqlx::eqlx_group_name: {get_param: CinderDellPsGroupname} + cinder::backend::eqlx::eqlx_pool: {get_param: CinderDellPsPool} + cinder::backend::eqlx::eqlx_use_chap: {get_param: CinderDellPsUseChap} + cinder::backend::eqlx::eqlx_chap_login: {get_param: CinderDellPsChapLogin} + cinder::backend::eqlx::eqlx_chap_password: {get_param: CinderDellPsChapPassword} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backend-dellsc.yaml b/puppet/services/cinder-backend-dellsc.yaml new file mode 100644 index 00000000..6a6196ac --- /dev/null +++ b/puppet/services/cinder-backend-dellsc.yaml @@ -0,0 +1,85 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC Storage Center backend + +parameters: + CinderEnableDellScBackend: + type: boolean + default: true + CinderDellScBackendName: + type: string + default: 'tripleo_dellsc' + CinderDellScSanIp: + type: string + CinderDellScSanLogin: + type: string + default: 'Admin' + CinderDellScSanPassword: + type: string + hidden: true + CinderDellScSsn: + type: number + default: 64702 + CinderDellScIscsiIpAddress: + type: string + default: '' + CinderDellScIscsiPort: + type: number + default: 3260 + CinderDellScApiPort: + type: number + default: 3033 + CinderDellScServerFolder: + type: string + default: 'dellsc_server' + CinderDellScVolumeFolder: + type: string + default: 'dellsc_volume' + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC Storage Center backend. + value: + service_name: cinder_backend_dellsc + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_dellsc_backend: {get_param: CinderEnableDellScBackend} + cinder::backend::dellsc_iscsi::volume_backend_name: {get_param: CinderDellScBackendName} + cinder::backend::dellsc_iscsi::san_ip: {get_param: CinderDellScSanIp} + cinder::backend::dellsc_iscsi::san_login: {get_param: CinderDellScSanLogin} + cinder::backend::dellsc_iscsi::san_password: {get_param: CinderDellScSanPassword} + cinder::backend::dellsc_iscsi::dell_sc_ssn: {get_param: CinderDellScSsn} + cinder::backend::dellsc_iscsi::iscsi_ip_address: {get_param: CinderDellScIscsiIpAddress} + cinder::backend::dellsc_iscsi::iscsi_port: {get_param: CinderDellScIscsiPort} + cinder::backend::dellsc_iscsi::dell_sc_api_port: {get_param: CinderDellScApiPort} + cinder::backend::dellsc_iscsi::dell_sc_server_folder: {get_param: CinderDellScServerFolder} + cinder::backend::dellsc_iscsi::dell_sc_volume_folder: {get_param: CinderDellScVolumeFolder} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-backend-scaleio.yaml b/puppet/services/cinder-backend-scaleio.yaml new file mode 100644 index 00000000..eb709cd5 --- /dev/null +++ b/puppet/services/cinder-backend-scaleio.yaml @@ -0,0 +1,111 @@ +# Copyright (c) 2016-2017 Dell Inc, or its subsidiaries. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. +heat_template_version: ocata + +description: > + Openstack Cinder Dell EMC ScaleIO backend + +parameters: + CinderEnableScaleIOBackend: + type: boolean + default: true + CinderScaleIOBackendName: + type: string + default: 'tripleo_scaleio' + CinderScaleIOSanIp: + type: string + default: '' + CinderScaleIOSanLogin: + type: string + default: '' + CinderScaleIOSanPassword: + type: string + default: '' + hidden: true + CinderScaleIORestServerPort: + type: number + default: 443 + CinderScaleIOVerifyServerCertificate: + type: boolean + default: false + CinderScaleIOServerCertificatePath: + type: string + default: '' + CinderScaleIOProtectionDomainId: + type: string + default: '' + CinderScaleIOProtectionDomainName: + type: string + default: '' + CinderScaleIOStoragePoolId: + type: string + default: '' + CinderScaleIOStoragePoolName: + type: string + default: '' + CinderScaleIOStoragePools: + type: string + default: '' + CinderScaleIORoundVolumeCapacity: + type: boolean + default: true + CinderScaleIOUnmapVolumeBeforeDeletion: + type: boolean + default: false + CinderScaleIOMaxOverSubscriptionRatio: + type: string + default: '' + CinderScaleIOSanThinProvision: + type: boolean + default: true + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + type: json + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + +outputs: + role_data: + description: Role data for the Cinder Dell EMC ScaleIO backend. + value: + service_name: cinder_backend_scaleio + config_settings: + tripleo::profile::base::cinder::volume::cinder_enable_scaleio_backend: {get_param: CinderEnableScaleIOBackend} + cinder::backend::scaleio::volume_backend_name: {get_param: CinderScaleIOBackendName} + cinder::backend::scaleio::sio_login: {get_param: CinderScaleIOSanLogin} + cinder::backend::scaleio::sio_password: {get_param: CinderScaleIOSanPassword} + cinder::backend::scaleio::sio_server_hostname: {get_param: CinderScaleIOSanIp} + cinder::backend::scaleio::sio_server_port: {get_param: CinderScaleIORestServerPort} + cinder::backend::scaleio::sio_verify_server_certificate: {get_param: CinderScaleIOVerifyServerCertificate} + cinder::backend::scaleio::sio_server_certificate_path: {get_param: CinderScaleIOServerCertificatePath} + cinder::backend::scaleio::sio_protection_domain_name: {get_param: CinderScaleIOProtectionDomainName} + cinder::backend::scaleio::sio_protection_domain_id: {get_param: CinderScaleIOProtectionDomainId} + cinder::backend::scaleio::sio_storage_pool_id: {get_param: CinderScaleIOStoragePoolId} + cinder::backend::scaleio::sio_storage_pool_name: {get_param: CinderScaleIOStoragePoolName} + cinder::backend::scaleio::sio_storage_pools: {get_param: CinderScaleIOStoragePools} + cinder::backend::scaleio::sio_round_volume_capacity: {get_param: CinderScaleIORoundVolumeCapacity} + cinder::backend::scaleio::sio_unmap_volume_before_deletion: {get_param: CinderScaleIOUnmapVolumeBeforeDeletion} + cinder::backend::scaleio::sio_max_over_subscription_ratio: {get_param: CinderScaleIOMaxOverSubscriptionRatio} + cinder::backend::scaleio::sio_thin_provision: {get_param: CinderScaleIOThinProvision} + step_config: | + include ::tripleo::profile::base::cinder::volume diff --git a/puppet/services/cinder-base.yaml b/puppet/services/cinder-base.yaml index 91c9ff5e..a5d7fcf1 100644 --- a/puppet/services/cinder-base.yaml +++ b/puppet/services/cinder-base.yaml @@ -119,3 +119,4 @@ outputs: cinder::cron::db_purge::user: {get_param: CinderCronDbPurgeUser} cinder::cron::db_purge::age: {get_param: CinderCronDbPurgeAge} cinder::cron::db_purge::destination: {get_param: CinderCronDbPurgeDestination} + cinder::glance::glance_api_servers: {get_param: [EndpointMap, GlanceInternal, uri]} diff --git a/puppet/services/cinder-scheduler.yaml b/puppet/services/cinder-scheduler.yaml index 6a0b1f24..f102810e 100644 --- a/puppet/services/cinder-scheduler.yaml +++ b/puppet/services/cinder-scheduler.yaml @@ -52,6 +52,9 @@ outputs: step_config: | include ::tripleo::profile::base::cinder::scheduler upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-scheduler is running" + shell: /usr/bin/systemctl show 'openstack-cinder-scheduler' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop cinder_scheduler service tags: step2 service: name=openstack-cinder-scheduler state=stopped diff --git a/puppet/services/cinder-volume.yaml b/puppet/services/cinder-volume.yaml index 8834eaa5..3a06afb8 100644 --- a/puppet/services/cinder-volume.yaml +++ b/puppet/services/cinder-volume.yaml @@ -116,9 +116,9 @@ outputs: step_config: | include ::tripleo::profile::base::cinder::volume upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-cinder-volume is running" + shell: /usr/bin/systemctl show 'openstack-cinder-volume' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop cinder_volume service tags: step2 service: name=openstack-cinder-volume state=stopped - - name: Sync cinder_volume DB - tags: step5 - command: cinder-manage db sync diff --git a/puppet/services/congress.yaml b/puppet/services/congress.yaml new file mode 100644 index 00000000..1b82f55c --- /dev/null +++ b/puppet/services/congress.yaml @@ -0,0 +1,90 @@ +heat_template_version: ocata + +description: > + OpenStack Congress service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CongressPassword: + description: The password for the congress service account. + type: string + hidden: true + Debug: + type: string + default: '' + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Role data for the Congress role. + value: + service_name: congress + config_settings: + congress_password: {get_param: CongressPassword} + congress::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://congress:' + - {get_param: CongressPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/congress' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + congress::keystone::auth::tenant: 'service' + congress::keystone::auth::password: {get_param: CongressPassword} + congress::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + congress::debug: {get_param: Debug} + congress::rpc_backend: rabbit + congress::rabbit_userid: {get_param: RabbitUserName} + congress::rabbit_password: {get_param: RabbitPassword} + congress::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + congress::rabbit_port: {get_param: RabbitClientPort} + congress::server::bind_host: {get_param: [ServiceNetMap, CongressApiNetwork]} + + congress::db::mysql::password: {get_param: CongressPassword} + congress::db::mysql::user: congress + congress::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + congress::db::mysql::dbname: congress + congress::db::mysql::allowed_hosts: + - '%' + - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + + + step_config: | + include ::tripleo::profile::base::congress diff --git a/puppet/services/database/mongodb.yaml b/puppet/services/database/mongodb.yaml index 8290cae7..63ec4446 100644 --- a/puppet/services/database/mongodb.yaml +++ b/puppet/services/database/mongodb.yaml @@ -66,3 +66,10 @@ outputs: mongodb::server::bind_ip: {get_param: [ServiceNetMap, MongodbNetwork]} step_config: | include ::tripleo::profile::base::database::mongodb + upgrade_tasks: + - name: Stop mongodb service + tags: step2 + service: name=mongod state=stopped + - name: Start mongodb service + tags: step4 + service: name=mongod state=started diff --git a/puppet/services/database/mysql-internal-tls-certmonger.yaml b/puppet/services/database/mysql-internal-tls-certmonger.yaml index 56d037e7..9f7eaf57 100644 --- a/puppet/services/database/mysql-internal-tls-certmonger.yaml +++ b/puppet/services/database/mysql-internal-tls-certmonger.yaml @@ -41,3 +41,7 @@ outputs: template: "mysql/%{hiera('cloud_name_NETWORK')}" params: NETWORK: {get_param: [ServiceNetMap, MysqlNetwork]} + metadata_settings: + - service: mysql + network: {get_param: [ServiceNetMap, MysqlNetwork]} + type: vip diff --git a/puppet/services/database/mysql.yaml b/puppet/services/database/mysql.yaml index 7e12894f..808f1353 100644 --- a/puppet/services/database/mysql.yaml +++ b/puppet/services/database/mysql.yaml @@ -34,6 +34,10 @@ parameters: default: true description: Whether to use Galera instead of regular MariaDB. type: boolean + NovaPassword: + description: The password for the nova db account + type: string + hidden: true resources: @@ -94,6 +98,8 @@ outputs: {get_param: [ServiceNetMap, MysqlNetwork]} step_config: | include ::tripleo::profile::base::database::mysql + metadata_settings: + get_attr: [MySQLTLS, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 @@ -104,4 +110,15 @@ outputs: - name: Start service tags: step4 service: name=mariadb state=started - + - name: Setup cell_v2 (create cell0 database) + tags: step4 + mysql_db: + name: nova_cell0 + state: present + - name: Setup cell_v2 (grant access to the nova DB user) + tags: step4 + mysql_user: + str_replace: + template: "name=nova password=PASSWORD host=\"%\" priv=\"nova.*:ALL/nova_cell0.*:ALL,GRANT\" state=present" + params: + PASSWORD: {get_param: NovaPassword} diff --git a/puppet/services/disabled/glance-registry.yaml b/puppet/services/disabled/glance-registry.yaml new file mode 100644 index 00000000..4d22bddc --- /dev/null +++ b/puppet/services/disabled/glance-registry.yaml @@ -0,0 +1,30 @@ +heat_template_version: ocata + +description: > + OpenStack Glance Registry service, disabled since ocata + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +outputs: + role_data: + description: Role data for the disabled Glance Registry role. + value: + service_name: glance_registry + upgrade_tasks: + - name: Stop and disable glance_registry service on upgrade + tags: step2 + service: name=openstack-glance-registry state=stopped enabled=no diff --git a/puppet/services/ec2-api.yaml b/puppet/services/ec2-api.yaml new file mode 100644 index 00000000..002342b6 --- /dev/null +++ b/puppet/services/ec2-api.yaml @@ -0,0 +1,118 @@ +heat_template_version: ocata + +description: > + OpenStack EC2-API service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Ec2ApiWorkers: + default: 0 + description: Number of workers for EC2-API service. + type: number + Ec2ApiPassword: + description: The password for the nova service and db account, used by nova-api. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionEc2Api: + default: 'overcloud-ec2-api' + type: string + Ec2ApiLoggingSource: + type: json + default: + tag: openstack.ec2.api + path: /var/log/ec2api/ec2api.log + EnablePackageInstall: + default: 'false' + description: Set to true to enable package installation via Puppet + type: boolean + + +conditions: + nova_workers_zero: {equals : [{get_param: Ec2ApiWorkers}, 0]} + +outputs: + role_data: + description: Role data for the EC2-API service. + value: + service_name: ec2_api + monitoring_subscription: {get_param: MonitoringSubscriptionEc2Api} + logging_source: {get_param: Ec2ApiLoggingSource} + logging_groups: + - nova + config_settings: + map_merge: + - tripleo.ec2_api.firewall_rules: + '113 ec2_api': + dport: + - 8788 + - 13788 + ec2api::keystone::authtoken::project_name: 'service' + ec2api::keystone::authtoken::password: {get_param: Ec2ApiPassword} + ec2api::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + ec2api::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + ec2api::api::enabled: true + ec2api::package_manage: {get_param: EnablePackageInstall} + ec2api::api::ec2api_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiNetwork]} + ec2api::metadata::metadata_listen: + str_replace: + template: + '"%{::fqdn_$NETWORK}"' + params: + $NETWORK: {get_param: [ServiceNetMap, Ec2ApiMetadataNetwork]} + ec2api::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://ec2_api:' + - {get_param: Ec2ApiPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/ec2_api' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + - + if: + - nova_workers_zero + - {} + - ec2api::api::ec2api_workers: {get_param: Ec2ApiWorkers} + ec2api::metadata::metadata_workers: {get_param: Ec2ApiWorkers} + step_config: | + include tripleo::profile::base::nova::ec2api + service_config_settings: + keystone: + ec2api::keystone::auth::tenant: 'service' + ec2api::keystone::auth::public_url: {get_param: [EndpointMap, Ec2ApiPublic, uri]} + ec2api::keystone::auth::internal_url: {get_param: [EndpointMap, Ec2ApiInternal, uri]} + ec2api::keystone::auth::admin_url: {get_param: [EndpointMap, Ec2ApiAdmin, uri]} + ec2api::keystone::auth::password: {get_param: Ec2ApiPassword} + ec2api::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + ec2api::db::mysql::password: {get_param: Ec2ApiPassword} + ec2api::db::mysql::user: ec2_api + ec2api::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + ec2api::db::mysql::dbname: ec2_api + ec2api::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/glance-api.yaml b/puppet/services/glance-api.yaml index 3ddb1927..c4f97d54 100644 --- a/puppet/services/glance-api.yaml +++ b/puppet/services/glance-api.yaml @@ -45,8 +45,23 @@ parameters: default: tag: openstack.glance.api path: /var/log/glance/api.log + EnableInternalTLS: + type: boolean + default: false + +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} resources: + + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + GlanceBase: type: ./glance-base.yaml properties: @@ -66,6 +81,7 @@ outputs: config_settings: map_merge: - get_attr: [GlanceBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - glance::api::database_connection: list_join: - '' @@ -79,7 +95,7 @@ outputs: - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" glance::api::bind_port: {get_param: [EndpointMap, GlanceInternal, port]} glance::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + glance::api::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } glance::api::enable_v1_api: false glance::api::enable_v2_api: true glance::api::authtoken::password: {get_param: GlancePassword} @@ -100,18 +116,34 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - glance::api::bind_host: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_bind_ip: + get_param: [ServiceNetMap, GlanceApiNetwork] + tripleo::profile::base::glance::api::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, GlanceApiNetwork]} + tripleo::profile::base::glance::api::tls_proxy_port: + get_param: [EndpointMap, GlanceInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLs + # proxy in front. + glance::api::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, GlanceApiNetwork]} step_config: | include ::tripleo::profile::base::glance::api service_config_settings: get_attr: [GlanceBase, role_data, service_config_settings] upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-glance-api is running" + shell: /usr/bin/systemctl show 'openstack-glance-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop glance_api service tags: step2 service: name=openstack-glance-api state=stopped - name: Stop and disable glance registry (removed for Ocata) tags: step2 service: name=openstack-glance-registry state=stopped enabled=no - - name: Sync glance_api DB - tags: step5 - command: glance-manage --config-file=/etc/glance/glance-api.conf db_sync diff --git a/puppet/services/gnocchi-api.yaml b/puppet/services/gnocchi-api.yaml index 3929e005..22c0967e 100644 --- a/puppet/services/gnocchi-api.yaml +++ b/puppet/services/gnocchi-api.yaml @@ -84,7 +84,7 @@ outputs: gnocchi::api::enable_proxy_headers_parsing: true gnocchi::api::service_name: 'httpd' gnocchi::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::keystone::authtoken::password: {get_param: GnocchiPassword} gnocchi::keystone::authtoken::project_name: 'service' gnocchi::wsgi::apache::ssl: {get_param: EnableInternalTLS} @@ -103,15 +103,9 @@ outputs: # internal_api_subnet - > IP/CIDR gnocchi::wsgi::apache::bind_host: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::wsgi::apache::wsgi_process_display_name: 'gnocchi_wsgi' - gnocchi::api::host: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, GnocchiApiNetwork]} gnocchi::api::keystone_auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + gnocchi::api::keystone_identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} gnocchi::storage::swift::swift_authurl: {get_param: [EndpointMap, KeystoneInternal, uri]} step_config: | include ::tripleo::profile::base::gnocchi::api @@ -131,3 +125,9 @@ outputs: gnocchi::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: Stop gnocchi_api service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/gnocchi-base.yaml b/puppet/services/gnocchi-base.yaml index d92b1766..8fddae4b 100644 --- a/puppet/services/gnocchi-base.yaml +++ b/puppet/services/gnocchi-base.yaml @@ -69,7 +69,7 @@ outputs: - '/gnocchi' - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - gnocchi::db::sync::extra_opts: '--skip-storage --create-legacy-resource-types' + gnocchi::db::sync::extra_opts: '--skip-storage' gnocchi::storage::swift::swift_user: 'service:gnocchi' gnocchi::storage::swift::swift_auth_version: 2 gnocchi::storage::swift::swift_key: {get_param: GnocchiPassword} diff --git a/puppet/services/gnocchi-metricd.yaml b/puppet/services/gnocchi-metricd.yaml index e5f9a8e7..1337b0cb 100644 --- a/puppet/services/gnocchi-metricd.yaml +++ b/puppet/services/gnocchi-metricd.yaml @@ -22,7 +22,7 @@ parameters: default: 'overcloud-gnocchi-metricd' type: string GnocchiMetricdWorkers: - default: '' + default: '%{::os_workers}' description: Number of workers for Gnocchi MetricD type: string @@ -46,3 +46,10 @@ outputs: - gnocchi::metricd::workers: {get_param: GnocchiMetricdWorkers} step_config: | include ::tripleo::profile::base::gnocchi::metricd + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-gnocchi-metricd is running" + shell: /usr/bin/systemctl show 'openstack-gnocchi-metricd' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop gnocchi_metricd service + tags: step2 + service: name=openstack-gnocchi-metricd state=stopped diff --git a/puppet/services/gnocchi-statsd.yaml b/puppet/services/gnocchi-statsd.yaml index df438b37..41222a79 100644 --- a/puppet/services/gnocchi-statsd.yaml +++ b/puppet/services/gnocchi-statsd.yaml @@ -45,3 +45,10 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::gnocchi::statsd + upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-gnocchi-statsd is running" + shell: /usr/bin/systemctl show 'openstack-gnocchi-statsd' --property ActiveState | grep '\bactive\b' + tags: step0,validation + - name: Stop gnocchi_statsd service + tags: step2 + service: name=openstack-gnocchi-statsd state=stopped diff --git a/puppet/services/haproxy-internal-tls-certmonger.yaml b/puppet/services/haproxy-internal-tls-certmonger.yaml index 77457593..ae226163 100644 --- a/puppet/services/haproxy-internal-tls-certmonger.yaml +++ b/puppet/services/haproxy-internal-tls-certmonger.yaml @@ -19,6 +19,22 @@ parameters: via parameter_defaults in the resource registry. type: json +resources: + + HAProxyNetworks: + type: OS::Heat::Value + properties: + value: + # NOTE(jaosorior) Get unique network names to create + # certificates for those. We skip the tenant network since + # we don't need a certificate for that, and the external + # network will be handled in another template. + yaql: + expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) + data: + map: + get_param: ServiceNetMap + outputs: role_data: description: Role data for the HAProxy internal TLS via certmonger role. @@ -39,13 +55,12 @@ outputs: postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_NETWORK')}" for_each: - NETWORK: - # NOTE(jaosorior) Get unique network names to create - # certificates for those. We skip the tenant network since - # we don't need a certificate for that, and the external - # network will be handled in another template. - yaql: - expression: list($.data.map.items().map($1[1])).distinct().where($ != external and $ != tenant) - data: - map: - get_param: ServiceNetMap + NETWORK: {get_attr: [HAProxyNetworks, value]} + metadata_settings: + repeat: + template: + - service: haproxy + network: $NETWORK + type: vip + for_each: + $NETWORK: {get_attr: [HAProxyNetworks, value]} diff --git a/puppet/services/haproxy-public-tls-certmonger.yaml b/puppet/services/haproxy-public-tls-certmonger.yaml index 227697b9..6013b026 100644 --- a/puppet/services/haproxy-public-tls-certmonger.yaml +++ b/puppet/services/haproxy-public-tls-certmonger.yaml @@ -35,3 +35,7 @@ outputs: hostname: "%{hiera('cloud_name_external')}" postsave_cmd: "" # TODO principal: "haproxy/%{hiera('cloud_name_external')}" + metadata_settings: + - service: haproxy + network: external + type: vip diff --git a/puppet/services/haproxy.yaml b/puppet/services/haproxy.yaml index 9049c901..358698dd 100644 --- a/puppet/services/haproxy.yaml +++ b/puppet/services/haproxy.yaml @@ -78,9 +78,18 @@ outputs: step_config: | include ::tripleo::profile::base::haproxy upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service haproxy is running" + shell: /usr/bin/systemctl show 'haproxy' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop haproxy service tags: step1 service: name=haproxy state=stopped - name: Start haproxy service tags: step4 # Needed at step 4 for mysql service: name=haproxy state=started + metadata_settings: + yaql: + expression: '[].concat(coalesce($.data.internal, []), coalesce($.data.public, []))' + data: + public: {get_attr: [HAProxyPublicTLS, role_data, metadata_settings]} + internal: {get_attr: [HAProxyInternalTLS, role_data, metadata_settings]} diff --git a/puppet/services/heat-api-cfn.yaml b/puppet/services/heat-api-cfn.yaml index 28317dd3..7bd2fcf1 100644 --- a/puppet/services/heat-api-cfn.yaml +++ b/puppet/services/heat-api-cfn.yaml @@ -85,6 +85,9 @@ outputs: heat::keystone::auth_cfn::password: {get_param: HeatPassword} heat::keystone::auth_cfn::region: {get_param: KeystoneRegion} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api-cfn is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-api-cfn' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api_cfn service tags: step2 service: name=openstack-heat-api-cfn state=stopped diff --git a/puppet/services/heat-api-cloudwatch.yaml b/puppet/services/heat-api-cloudwatch.yaml index 5de25ab8..0954ad19 100644 --- a/puppet/services/heat-api-cloudwatch.yaml +++ b/puppet/services/heat-api-cloudwatch.yaml @@ -67,6 +67,9 @@ outputs: step_config: | include ::tripleo::profile::base::heat::api_cloudwatch upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api-cloudwatch is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-api-cloudwatch' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api_cloudwatch service tags: step2 service: name=openstack-heat-api-cloudwatch state=stopped diff --git a/puppet/services/heat-api.yaml b/puppet/services/heat-api.yaml index 0ce8e1fa..ae656b1e 100644 --- a/puppet/services/heat-api.yaml +++ b/puppet/services/heat-api.yaml @@ -85,6 +85,9 @@ outputs: heat::keystone::auth::password: {get_param: HeatPassword} heat::keystone::auth::region: {get_param: KeystoneRegion} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-api is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-api' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_api service tags: step2 service: name=openstack-heat-api state=stopped diff --git a/puppet/services/heat-base.yaml b/puppet/services/heat-base.yaml index 90943751..b4d314f4 100644 --- a/puppet/services/heat-base.yaml +++ b/puppet/services/heat-base.yaml @@ -122,7 +122,7 @@ outputs: heat::rabbit_heartbeat_timeout_threshold: 60 heat::keystone::authtoken::project_name: 'service' heat::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + heat::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } heat::keystone::authtoken::password: {get_param: HeatPassword} heat::keystone::domain::domain_name: 'heat_stack' heat::keystone::domain::domain_admin: 'heat_stack_domain_admin' diff --git a/puppet/services/heat-engine.yaml b/puppet/services/heat-engine.yaml index 976d413c..e85b7537 100644 --- a/puppet/services/heat-engine.yaml +++ b/puppet/services/heat-engine.yaml @@ -138,9 +138,9 @@ outputs: # This is needed because the keystone profile handles creating the domain tripleo::profile::base::keystone::heat_admin_password: {get_param: HeatStackDomainAdminPassword} upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service openstack-heat-engine is running" + shell: echo o/ #TODO uncomment when /#/c/423302/ : /usr/bin/systemctl show 'openstack-heat-engine' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop heat_engine service tags: step2 service: name=openstack-heat-engine state=stopped - - name: Sync heat_engine DB - tags: step5 - command: heat-manage --config-file /etc/heat/heat.conf db_sync diff --git a/puppet/services/horizon.yaml b/puppet/services/horizon.yaml index cf35d202..2111021b 100644 --- a/puppet/services/horizon.yaml +++ b/puppet/services/horizon.yaml @@ -27,6 +27,14 @@ parameters: description: A list of IP/Hostname for the server Horizon is running on. Used for header checks. type: comma_delimited_list + HorizonPasswordValidator: + description: Regex for password validation + type: string + default: '' + HorizonPasswordValidatorHelp: + description: Help text for password validation + type: string + default: '' HorizonSecret: description: Secret key for Django type: string @@ -71,6 +79,8 @@ outputs: options: ['FollowSymLinks','MultiViews'] horizon::bind_address: {get_param: [ServiceNetMap, HorizonNetwork]} horizon::keystone_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + horizon::password_validator: {get_param: [HorizonPasswordValidator]} + horizon::password_validator_help: {get_param: [HorizonPasswordValidatorHelp]} horizon::secret_key: yaql: expression: $.data.passwords.where($ != '').first() diff --git a/puppet/services/ironic-api.yaml b/puppet/services/ironic-api.yaml index aebb37b2..a84df538 100644 --- a/puppet/services/ironic-api.yaml +++ b/puppet/services/ironic-api.yaml @@ -25,6 +25,10 @@ parameters: MonitoringSubscriptionIronicApi: default: 'overcloud-ironic-api' type: string + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint resources: IronicBase: @@ -47,7 +51,7 @@ outputs: ironic::api::authtoken::project_name: 'service' ironic::api::authtoken::username: 'ironic' ironic::api::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + ironic::api::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} # NOTE: bind IP is found in Heat replacing the network name with the # local node IP for the given network; replacement examples # (eg. for internal_api): @@ -73,6 +77,7 @@ outputs: ironic::keystone::auth::auth_name: 'ironic' ironic::keystone::auth::password: {get_param: IronicPassword } ironic::keystone::auth::tenant: 'service' + ironic::keystone::auth::region: {get_param: KeystoneRegion} mysql: ironic::db::mysql::password: {get_param: IronicPassword} ironic::db::mysql::user: ironic @@ -81,3 +86,7 @@ outputs: ironic::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop ironic_api service + tags: step2 + service: name=openstack-ironic-api state=stopped diff --git a/puppet/services/ironic-conductor.yaml b/puppet/services/ironic-conductor.yaml index 194afec7..739db13c 100644 --- a/puppet/services/ironic-conductor.yaml +++ b/puppet/services/ironic-conductor.yaml @@ -24,6 +24,14 @@ parameters: "full" for full cleaning, "metadata" to clean only disk metadata (partition table). type: string + IronicCleaningNetwork: + default: 'provisioning' + description: Name or UUID of the *overcloud* network used for cleaning + bare metal nodes. The default value of "provisioning" can be + left during the initial deployment (when no networks are + created yet) and should be changed to an actual UUID in + a post-deployment stack update. + type: string IronicEnabledDrivers: default: ['pxe_ipmitool', 'pxe_drac', 'pxe_ilo'] description: Enabled Ironic drivers @@ -61,6 +69,7 @@ outputs: - ironic::api::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} ironic::conductor::api_url: {get_param: [EndpointMap, IronicInternal, uri_no_suffix]} ironic::conductor::cleaning_disk_erase: {get_param: IronicCleaningDiskErase} + ironic::conductor::cleaning_network: {get_param: IronicCleaningNetwork} ironic::conductor::enabled_drivers: {get_param: IronicEnabledDrivers} # We need an endpoint containing a real IP, not a VIP here ironic_conductor_http_host: {get_param: [ServiceNetMap, IronicNetwork]} @@ -98,3 +107,7 @@ outputs: step_config: | include ::tripleo::profile::base::ironic::conductor + upgrade_tasks: + - name: Stop ironic_conductor service + tags: step2 + service: name=openstack-ironic-conductor state=stopped diff --git a/puppet/services/keystone.yaml b/puppet/services/keystone.yaml index 434f0a33..b2374ec4 100644 --- a/puppet/services/keystone.yaml +++ b/puppet/services/keystone.yaml @@ -310,6 +310,5 @@ outputs: - name: Stop keystone service (running under httpd) tags: step2 service: name=httpd state=stopped - - name: Sync keystone DB - tags: step5 - command: keystone-manage db_sync + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/logging/fluentd-client.yaml b/puppet/services/logging/fluentd-client.yaml index 769ab68f..94c63d33 100644 --- a/puppet/services/logging/fluentd-client.yaml +++ b/puppet/services/logging/fluentd-client.yaml @@ -62,3 +62,12 @@ outputs: get_attr: [LoggingConfiguration, LoggingSharedKey] step_config: | include ::tripleo::profile::base::logging::fluentd + upgrade_tasks: + - name: Check status of fluentd service + shell: > + /usr/bin/systemctl show fluentd --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop fluentd service + tags: step2 + service: name=fluentd state=stopped diff --git a/puppet/services/manila-api.yaml b/puppet/services/manila-api.yaml index b7c64823..7b78c82e 100644 --- a/puppet/services/manila-api.yaml +++ b/puppet/services/manila-api.yaml @@ -49,7 +49,7 @@ outputs: - get_attr: [ManilaBase, role_data, config_settings] - manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' tripleo.manila_api.firewall_rules: '150 manila': @@ -64,6 +64,7 @@ outputs: # internal_api_subnet - > IP/CIDR manila::api::bind_host: {get_param: [ServiceNetMap, ManilaApiNetwork]} manila::api::enable_proxy_headers_parsing: true + manila::api::default_share_type: 'default' step_config: | include ::tripleo::profile::base::manila::api service_config_settings: diff --git a/puppet/services/manila-share.yaml b/puppet/services/manila-share.yaml index e38fe675..6ac0d2cf 100644 --- a/puppet/services/manila-share.yaml +++ b/puppet/services/manila-share.yaml @@ -46,7 +46,7 @@ outputs: - manila::volume::cinder::cinder_admin_tenant_name: 'service' manila::keystone::authtoken::password: {get_param: ManilaPassword} manila::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + manila::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } manila::keystone::authtoken::project_name: 'service' service_config_settings: get_attr: [ManilaBase, role_data, service_config_settings] diff --git a/puppet/services/memcached.yaml b/puppet/services/memcached.yaml index ffa969e0..146cc306 100644 --- a/puppet/services/memcached.yaml +++ b/puppet/services/memcached.yaml @@ -18,6 +18,12 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + MemcachedMaxMemory: + default: '50%' + description: The maximum amount of memory for memcached to be configured + to use when installed. This can be either a percentage ('50%') + or a fixed value ('2048'). + type: string MonitoringSubscriptionMemcached: default: 'overcloud-memcached' type: string @@ -35,8 +41,17 @@ outputs: # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR memcached::listen_ip: {get_param: [ServiceNetMap, MemcachedNetwork]} + memcached::max_memory: {get_param: MemcachedMaxMemory} tripleo.memcached.firewall_rules: '121 memcached': dport: 11211 step_config: | include ::tripleo::profile::base::memcached + service_config_settings: + collectd: + tripleo.collectd.plugins.memcached: + - memcached + collectd::plugin::memcached::instances: + local: + host: "%{hiera('memcached::listen_ip')}" + port: 11211 diff --git a/puppet/services/metrics/collectd.yaml b/puppet/services/metrics/collectd.yaml new file mode 100644 index 00000000..a3e3b842 --- /dev/null +++ b/puppet/services/metrics/collectd.yaml @@ -0,0 +1,120 @@ +heat_template_version: ocata + +description: Collectd client service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + DefaultPasswords: + default: {} + type: json + CollectdDefaultPlugins: + default: + - disk + - interface + - load + - memory + - processes + - tcpconns + type: comma_delimited_list + description: > + List of collectd plugins to activate on all overcloud hosts. See + the documentation for the puppet-collectd module for a list plugins + supported by the module (https://github.com/voxpupuli/puppet-collectd). + Set this key to override the default list of plugins. Use + CollectdExtraPlugins if you want to load additional plugins without + overriding the defaults. + CollectdExtraPlugins: + default: [] + type: comma_delimited_list + description: > + List of collectd plugins to activate on all overcloud hosts. See + the documentation for the puppet-collectd module for a list plugins + supported by the module (https://github.com/voxpupuli/puppet-collectd). + Set this key to load plugins in addition to those in + CollectdDefaultPlugins. + CollectdServer: + type: string + description: > + Address of remote collectd server to which we will send + metrics. + default: '' + CollectdServerPort: + type: number + default: 25826 + description: > + Port on remote collectd server to which we will send + metrics. + CollectdUsername: + type: string + description: > + Username for authenticating to the remote collectd server. The default + is to not configure any authentication. + default: '' + CollectdPassword: + type: string + hidden: true + description: > + Password for authenticating to the remote collectd server. The + default is to not configure any authentication. + default: '' + CollectdSecurityLevel: + type: string + description: > + Security level setting for remote collectd connection. + default: 'None' + constraints: + - allowed_values: + - None + - Sign + - Encrypt + +outputs: + role_data: + description: Role data for the Collectd client role. + value: + service_name: collectd + config_settings: + collectd::manage_repo: false + collectd::purge: true + collectd::recurse: true + collectd::purge_config: true + collectd::minimum_version: "5.7" + tripleo::profile::base::metrics::collectd::collectd_server: + get_param: CollectdServer + tripleo::profile::base::metrics::collectd::collectd_port: + get_param: CollectdServerPort + tripleo::profile::base::metrics::collectd::collectd_username: + get_param: CollectdUsername + tripleo::profile::base::metrics::collectd::collectd_password: + get_param: CollectdPassword + tripleo::profile::base::metrics::collectd::collectd_securitylevel: + get_param: CollectdSecurityLevel + tripleo.collectd.plugins.collectd: + yaql: + data: + default_plugins: {get_param: CollectdDefaultPlugins} + extra_plugins: {get_param: CollectdExtraPlugins} + expression: > + ($.data.default_plugins + $.data.extra_plugins) + .flatten().distinct() + step_config: | + include ::tripleo::profile::base::metrics::collectd + upgrade_tasks: + - name: Check status of collectd service + shell: > + /usr/bin/systemctl show collectd --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop collectd service + tags: step2 + service: name=collectd state=stopped diff --git a/puppet/services/mistral-base.yaml b/puppet/services/mistral-base.yaml index e678b14f..4d020498 100644 --- a/puppet/services/mistral-base.yaml +++ b/puppet/services/mistral-base.yaml @@ -76,7 +76,7 @@ outputs: mistral::keystone_tenant: 'service' mistral::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} mistral::keystone_ec2_uri: {get_param: [EndpointMap, KeystoneEC2, uri]} - mistral::identity_uri: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + mistral::identity_uri: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} service_config_settings: keystone: mistral::keystone::auth::tenant: 'service' diff --git a/puppet/services/monitoring/sensu-client.yaml b/puppet/services/monitoring/sensu-client.yaml index 76ba59c1..d74a68a2 100644 --- a/puppet/services/monitoring/sensu-client.yaml +++ b/puppet/services/monitoring/sensu-client.yaml @@ -62,3 +62,12 @@ outputs: region: {get_param: KeystoneRegion} step_config: | include ::tripleo::profile::base::monitoring::sensu + upgrade_tasks: + - name: Check status of sensu-client service + shell: > + /usr/bin/systemctl show sensu-client --property ActiveState | + grep '\bactive\b' + tags: step0,validation + - name: Stop sensu-client service + tags: step2 + service: name=sensu-client state=stopped diff --git a/puppet/services/network/contrail-analytics-database.yaml b/puppet/services/network/contrail-analytics-database.yaml new file mode 100644 index 00000000..67341ed3 --- /dev/null +++ b/puppet/services/network/contrail-analytics-database.yaml @@ -0,0 +1,43 @@ +heat_template_version: ocata + +description: > + Contrail Analytics Database service deployment using puppet, this YAML file + creates the interface between the HOT template + and the puppet manifest that actually installs + and configures Contrail Analytics Database. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role Contrail Analytics Database using composable services. + value: + service_name: contrail_analytics_database + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::analytics::database::host_ip: {get_param: [ServiceNetMap, ContrailAnalyticsDatabaseNetwork]} + step_config: | + include ::tripleo::network::contrail::analyticsdatabase diff --git a/puppet/services/network/contrail-analytics.yaml b/puppet/services/network/contrail-analytics.yaml index ad14d315..e3e0ec4b 100644 --- a/puppet/services/network/contrail-analytics.yaml +++ b/puppet/services/network/contrail-analytics.yaml @@ -21,44 +21,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailAnalyticsHostIP: - description: host IP address of Analytics - type: string - ContrailAnalyticsRedisServerIp: - description: Redis server ip address - type: string - ContrailAnalyticsCollectorServerHttpPort: - description: Collector http port - type: number - default: 8089 - ContrailAnalyticsCollectorSandeshPort: - description: Collector sandesh port - type: number - default: 8086 - ContrailAnalyticsHttpServerPort: - description: Analytics http port - type: number - default: 8090 - ContrailAnalyticsListenAddress: - default: '0.0.0.0' - description: IP address Config API is listening on - type: string - ContrailAnalyticsListenPort: - default: 8082 - description: Port Config API is listening on - type: number - ContrailAnalyticsRedisServerPort: - description: Redis server port - type: number - default: 6379 - ContrailAnalyticsRestApiIp: - description: IP address Analytics rest interface listens on - type: string - default: '0.0.0.0' - ContrailAnalyticsRestApiPort: - description: Analytics rest port - type: number - default: 8081 resources: ContrailBase: @@ -76,15 +38,14 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::analytics::collector_http_server_port: {get_param: ContrailAnalyticsCollectorServerHttpPort} - contrail::analytics::collector_sandesh_port: {get_param: ContrailAnalyticsCollectorSandeshPort} - contrail::analytics::host_ip: {get_param: ContrailAnalyticsHostIP} - contrail::analytics::http_server_port: {get_param: ContrailAnalyticsHttpServerPort} - contrail::analytics::listen_ip_address: {get_param: ContrailAnalyticsListenAddress} - contrail::analytics::listen_port: {get_param: ContrailAnalyticsListenPort} - contrail::analytics::redis_server: {get_param: ContrailAnalyticsRedisServerIp} - contrail::analytics::redis_server_port: {get_param: ContrailAnalyticsRedisServerPort} - contrail::analytics::rest_api_ip: {get_param: ContrailAnalyticsRestApiIp} - contrail::analytics::rest_api_port: {get_param: ContrailAnalyticsRestApiPort} + - contrail::analytics::collector_http_server_port: {get_param: [EndpointMap, ContrailAnalyticsCollectorHttpInternal, port]} + contrail::analytics::collector_sandesh_port: {get_param: [EndpointMap, ContrailAnalyticsCollectorSandeshInternal, port]} + contrail::analytics::host_ip: {get_param: [ServiceNetMap, ContrailAnalyticsNetwork]} + contrail::analytics::http_server_port: {get_param: [EndpointMap, ContrailAnalyticsHttpInternal, port]} + contrail::analytics::listen_ip_address: {get_param: [ServiceNetMap, ContrailAnalyticsNetwork]} + contrail::analytics::redis_server: '127.0.0.1' + contrail::analytics::redis_server_port: {get_param: [EndpointMap, ContrailAnalyticsRedisInternal, port]} + contrail::analytics::rest_api_ip: {get_param: [ServiceNetMap, ContrailAnalyticsNetwork]} + contrail::analytics::rest_api_port: {get_param: [EndpointMap, ContrailAnalyticsApiInternal, port]} step_config: | include ::tripleo::network::contrail::analytics diff --git a/puppet/services/network/contrail-base.yaml b/puppet/services/network/contrail-base.yaml index b49b2add..bc56a3ca 100644 --- a/puppet/services/network/contrail-base.yaml +++ b/puppet/services/network/contrail-base.yaml @@ -18,47 +18,42 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + ContrailAAAMode: + description: AAAmode can be no-auth, cloud-admin or rbac + type: string + default: 'rbac' + ContrailAAAModeAnalytics: + description: AAAmode for analytics can be no-auth, cloud-admin or rbac + type: string + default: 'no-auth' AdminPassword: description: Keystone admin user password type: string + hidden: true AdminTenantName: description: Keystone admin tenant name type: string + default: 'admin' AdminToken: description: Keystone admin token type: string + hidden: true AdminUser: description: Keystone admin user name type: string - AuthHost: - description: Keystone host IP address - type: string - AuthPort: - default: 35357 - description: Keystone port + default: 'admin' + AuthPortSSL: + default: 13357 + description: Keystone SSL port + type: number + AuthPortSSLPublic: + default: 13000 + description: Keystone Public SSL port type: number - AuthProtocol: - default: 'http' - description: Keystone authentication protocol - type: string - ContrailDiscoveryServerIp: - description: Discovery server ip address - type: string - ContrailKafkaBrokerList: - description: List of kafka servers - type: comma_delimited_list ContrailAuth: default: 'keystone' description: Keystone authentication method type: string - ContrailCassandraServerList: - default: [] - description: List of cassandra servers - type: comma_delimited_list - ContrailDiscoveryServerPort: - description: Discovery server port - type: number - default: 5998 ContrailInsecure: default: false description: Keystone insecure mode @@ -67,14 +62,18 @@ parameters: default: '127.0.0.1:12111' description: Memcached server type: string - ContrailMultiTenancy: - default: true - description: Turn on/off multi-tenancy - type: boolean - ContrailZkServerIp: - default: [] - description: List of zookeeper servers - type: comma_delimited_list + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number outputs: role_data: @@ -82,19 +81,23 @@ outputs: value: service_name: contrail_base config_settings: + contrail::aaa_mode: {get_param: ContrailAAAMode} + contrail::analytics_aaa_mode: {get_param: ContrailAAAModeAnalytics} contrail::admin_password: {get_param: AdminPassword} contrail::admin_tenant_name: {get_param: AdminTenantName} contrail::admin_token: {get_param: AdminToken} contrail::admin_user: {get_param: AdminUser} - contrail::auth_host: {get_param: [EndpointMap, KeystoneInternal, host] } - contrail::auth_port: {get_param: [EndpointMap, KeystoneInternal, port] } - contrail::auth_protocol: {get_param: [EndpointMap, KeystoneInternal, protocol] } - contrail::disc_server_ip: {get_param: ContrailDiscoveryServerIp} - contrail::kafka_broker_list: {get_param: ContrailKafkaBrokerList} contrail::auth: {get_param: ContrailAuth} - contrail::cassandra_server_list: {get_param: ContrailCassandraServerList} - contrail::disc_server_port: {get_param: ContrailDiscoveryServerPort} + contrail::auth_host: {get_param: [EndpointMap, KeystonePublic, host] } + contrail::auth_port: {get_param: [EndpointMap, KeystoneAdmin, port] } + contrail::auth_port_ssl: {get_param: AuthPortSSL } + contrail::auth_port_public: {get_param: [EndpointMap, KeystonePublic, port] } + contrail::auth_port_ssl_public: {get_param: AuthPortSSLPublic } + contrail::auth_protocol: {get_param: [EndpointMap, KeystoneInternal, protocol] } + contrail::api_port: {get_param: [EndpointMap, ContrailConfigInternal, port] } + contrail::disc_server_port: {get_param: [EndpointMap, ContrailDiscoveryInternal, port] } contrail::insecure: {get_param: ContrailInsecure} contrail::memcached_server: {get_param: ContrailMemcachedServer} - contrail::multi_tenancy: {get_param: ContrailMultiTenancy} - contrail::zk_server_ip: {get_param: ContrailZkServerIp} + contrail::rabbit_password: {get_param: RabbitPassword} + contrail::rabbit_user: {get_param: RabbitUserName} + contrail::rabbit_port: {get_param: RabbitClientPort} diff --git a/puppet/services/network/contrail-config.yaml b/puppet/services/network/contrail-config.yaml index 03774480..185b6094 100644 --- a/puppet/services/network/contrail-config.yaml +++ b/puppet/services/network/contrail-config.yaml @@ -21,29 +21,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailConfigIfmapServerIp: - description: Ifmap server ip address - type: string ContrailConfigIfmapUserName: description: Ifmap user name type: string + default: 'api-server' ContrailConfigIfmapUserPassword: description: Ifmap user password type: string - ContrailConfigRabbitServerIp: - description: RabbitMq server ip address - type: string - ContrailConfigRedisServerIp: - description: Redis server ip address - type: string - ContrailConfigListenAddress: - default: '0.0.0.0' - description: IP address Config API is listening on - type: string - ContrailConfigListenPort: - default: 8082 - description: Port Config API is listening on - type: number + default: 'api-server' resources: ContrailBase: @@ -62,11 +47,10 @@ outputs: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - contrail::config::ifmap_password: {get_param: ContrailConfigIfmapUserPassword} - contrail::config::ifmap_server_ip: {get_param: ContrailConfigIfmapServerIp} contrail::config::ifmap_username: {get_param: ContrailConfigIfmapUserName} - contrail::config::listen_ip_address: {get_param: ContrailConfigListenAddress} - contrail::config::listen_port: {get_param: ContrailConfigListenPort} - contrail::config::rabbit_server: {get_param: ContrailConfigRabbitServerIp} - contrail::config::redis_server: {get_param: ContrailConfigRedisServerIp} + contrail::config::listen_ip_address: {get_param: [ServiceNetMap, ContrailConfigNetwork]} + contrail::config::listen_port: {get_param: [EndpointMap, ContrailConfigInternal, port] } + contrail::config::redis_server: '127.0.0.1' + contrail::config::host_ip: {get_param: [ServiceNetMap, ContrailConfigNetwork] } step_config: | include ::tripleo::network::contrail::config diff --git a/puppet/services/network/contrail-control.yaml b/puppet/services/network/contrail-control.yaml index 7c28d283..0964989b 100644 --- a/puppet/services/network/contrail-control.yaml +++ b/puppet/services/network/contrail-control.yaml @@ -21,15 +21,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailControlHostIP: - description: host IP address of Analytics - type: string - ContrailControlIfmapUserName: - description: Ifmap user name - type: string - ContrailControlIfmapUserPassword: - description: Ifmap user password + ContrailControlASN: + description: Autonomous System Number + type: number + default: 64512 + ContrailControlRNDCSecret: + description: sda1/256 hmac key, e.g. echo -n "values" | openssl dgst -sha256 -hmac key -binary | base64 type: string + hidden: true resources: ContrailBase: @@ -47,8 +46,8 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::control::host_ip: {get_param: ContrailControlHostIP} - contrail::control::ifmap_username: {get_param: ContrailControlIfmapUserName} - contrail::control::ifmap_password: {get_param: ContrailControlIfmapUserPassword} + - contrail::control::asn: {get_param: ContrailControlASN } + contrail::control::host_ip: {get_param: [ServiceNetMap, ContrailControlNetwork]} + contrail::control::rndc_secret: {get_param: ContrailControlRNDCSecret} step_config: | include ::tripleo::network::contrail::control diff --git a/puppet/services/network/contrail-database.yaml b/puppet/services/network/contrail-database.yaml index c56b90a2..b47c2c36 100644 --- a/puppet/services/network/contrail-database.yaml +++ b/puppet/services/network/contrail-database.yaml @@ -21,13 +21,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailDatabaseHostIP: - description: host IP address of Database node - type: string - ContrailDatabaseMinDisk: - description: Minimum disk size for database - type: number - default: 64 resources: ContrailBase: @@ -45,7 +38,6 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::database::host_ip: {get_param: ContrailDatabaseHostIP} - contrail::database::minimum_diskGB: {get_param: ContrailDatabaseMinDisk} + - contrail::database::host_ip: {get_param: [ServiceNetMap, ContrailDatabaseNetwork]} step_config: | - include ::tripleo::profile::contrail::database + include ::tripleo::network::contrail::database diff --git a/puppet/services/network/contrail-heat.yaml b/puppet/services/network/contrail-heat.yaml new file mode 100644 index 00000000..4dfc6579 --- /dev/null +++ b/puppet/services/network/contrail-heat.yaml @@ -0,0 +1,40 @@ +heat_template_version: ocata + +description: > + Contrail Heat plugin adds Contrail specific heat resources enabling heat + to orchestrate Contrail + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Contrail Heat plugin + value: + service_name: contrail_heat + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + step_config: | + include ::tripleo::network::contrail::heat diff --git a/puppet/services/network/contrail-neutron-plugin.yaml b/puppet/services/network/contrail-neutron-plugin.yaml new file mode 100644 index 00000000..2f2ceb37 --- /dev/null +++ b/puppet/services/network/contrail-neutron-plugin.yaml @@ -0,0 +1,45 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron Opencontrail plugin + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + ContrailExtensions: + description: List of OpenContrail extensions to be enabled + type: comma_delimited_list + default: '' + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron Opencontrail plugin + value: + service_name: contrail_neutron_plugin + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions + contrail::vrouter::contrail_extensions: {get_param: ContrailExtensions} + step_config: | + include tripleo::network::contrail::neutron_plugin diff --git a/puppet/services/network/contrail-provision.yaml b/puppet/services/network/contrail-provision.yaml new file mode 100644 index 00000000..765be9a9 --- /dev/null +++ b/puppet/services/network/contrail-provision.yaml @@ -0,0 +1,39 @@ +heat_template_version: ocata + +description: > + Provision Contrail services after deployment + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Contrail provisioning role + value: + service_name: contrail_provision + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + step_config: | + include ::tripleo::network::contrail::provision diff --git a/puppet/services/network/contrail-tsn.yaml b/puppet/services/network/contrail-tsn.yaml new file mode 100644 index 00000000..88adc4a5 --- /dev/null +++ b/puppet/services/network/contrail-tsn.yaml @@ -0,0 +1,64 @@ +heat_template_version: ocata + +description: > + Contrail TSN Service + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronMetadataProxySharedSecret: + description: Metadata Secret + type: string + VrouterPhysicalInterface: + default: 'eth0' + description: vRouter physical interface + type: string + VrouterGateway: + default: '192.168.24.1' + description: vRouter default gateway + type: string + VrouterNetmask: + default: '255.255.255.0' + description: vRouter netmask + type: string + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Contrail TSN Service + value: + service_name: contrail_tsn + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::vrouter::host_ip: {get_param: [ServiceNetMap, NeutronCorePluginOpencontrailNetwork]} + contrail::vrouter::physical_interface: {get_param: VrouterPhysicalInterface} + contrail::vrouter::gateway: {get_param: VrouterGateway} + contrail::vrouter::netmask: {get_param: VrouterNetmask} + contrail::vrouter::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + contrail::vrouter::is_tsn: 'true' + tripleo.neutron_compute_plugin_opencontrail.firewall_rules: + '111 neutron_compute_plugin_opencontrail proxy': + dport: 8097 + proto: tcp + step_config: | + include ::tripleo::network::contrail::vrouter diff --git a/puppet/services/network/contrail-vrouter.yaml b/puppet/services/network/contrail-vrouter.yaml new file mode 100644 index 00000000..db9f0836 --- /dev/null +++ b/puppet/services/network/contrail-vrouter.yaml @@ -0,0 +1,64 @@ +heat_template_version: ocata + +description: > + OpenStack Neutron Compute OpenContrail plugin + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronMetadataProxySharedSecret: + description: Metadata Secret + type: string + hidden: true + ContrailVrouterPhysicalInterface: + default: 'eth0' + description: vRouter physical interface + type: string + ContrailVrouterGateway: + default: '192.0.2.1' + description: vRouter default gateway + type: string + ContrailVrouterNetmask: + default: '255.255.255.0' + description: vRouter netmask + type: string + +resources: + ContrailBase: + type: ./contrail-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Neutron Compute OpenContrail plugin + value: + service_name: contrail_vrouter + config_settings: + map_merge: + - get_attr: [ContrailBase, role_data, config_settings] + - contrail::vrouter::host_ip: {get_param: [ServiceNetMap, NeutronCorePluginOpencontrailNetwork]} + contrail::vrouter::physical_interface: {get_param: ContrailVrouterPhysicalInterface} + contrail::vrouter::gateway: {get_param: ContrailVrouterGateway} + contrail::vrouter::netmask: {get_param: ContrailVrouterNetmask} + contrail::vrouter::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} + tripleo.neutron_compute_plugin_opencontrail.firewall_rules: + '111 neutron_compute_plugin_opencontrail proxy': + dport: 8097 + proto: tcp + step_config: | + include ::tripleo::network::contrail::vrouter diff --git a/puppet/services/network/contrail-webui.yaml b/puppet/services/network/contrail-webui.yaml index 72cc6fa5..3786cdd1 100644 --- a/puppet/services/network/contrail-webui.yaml +++ b/puppet/services/network/contrail-webui.yaml @@ -21,27 +21,6 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json - ContrailWebUiAnalyticsVip: - description: Contrail Analytics VIP - type: string - ContrailWebUiConfigVip: - description: Contrail Config VIP - type: string - ContrailWebUiNeutronVip: - description: Neutron VIP - type: string - ContrailWebuiHttpPort: - default: 8080 - description: HTTP Port of Webui - type: number - ContrailWebuiHttpsPort: - default: 8143 - description: HTTPS Port of Webui - type: number - ContrailWebUiRedisIp: - description: Redis IP - type: string - default: '127.0.0.1' resources: ContrailBase: @@ -59,11 +38,8 @@ outputs: config_settings: map_merge: - get_attr: [ContrailBase, role_data, config_settings] - - contrail::webui::contrail_analytics_vip: {get_param: ContrailWebUiAnalyticsVip} - contrail::webui::contrail_config_vip: {get_param: ContrailWebUiConfigVip} - contrail::webui::contrail_webui_http_port: {get_param: ContrailWebuiHttpPort} - contrail::webui::contrail_webui_https_port: {get_param: ContrailWebuiHttpsPort} - contrail::webui::neutron_vip: {get_param: ContrailWebUiNeutronVip} - contrail::webui::redis_ip: {get_param: ContrailWebUiRedisIp} + - contrail::webui::http_port: {get_param: [EndpointMap, ContrailWebuiHttpInternal, port] } + contrail::webui::https_port: {get_param: [EndpointMap, ContrailWebuiHttpsInternal, port] } + contrail::webui::redis_ip: '127.0.0.1' step_config: | include ::tripleo::network::contrail::webui diff --git a/puppet/services/neutron-api.yaml b/puppet/services/neutron-api.yaml index a6c8ba3c..b3a07fb0 100644 --- a/puppet/services/neutron-api.yaml +++ b/puppet/services/neutron-api.yaml @@ -71,6 +71,9 @@ parameters: removed in Ocata. Future releases will enable L3 HA by default if it is appropriate for the deployment type. Alternate mechanisms will be available to override. + EnableInternalTLS: + type: boolean + default: false parameter_groups: - label: deprecated @@ -82,8 +85,19 @@ parameter_groups: parameters: - NeutronL3HA +conditions: + use_tls_proxy: {equals : [{get_param: EnableInternalTLS}, true]} + resources: + TLSProxyBase: + type: OS::TripleO::Services::TLSProxyBase + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + EnableInternalTLS: {get_param: EnableInternalTLS} + NeutronBase: type: ./neutron-base.yaml properties: @@ -103,6 +117,7 @@ outputs: config_settings: map_merge: - get_attr: [NeutronBase, role_data, config_settings] + - get_attr: [TLSProxyBase, role_data, config_settings] - neutron::server::database_connection: list_join: - '' @@ -115,7 +130,7 @@ outputs: - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" neutron::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + neutron::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} neutron::server::api_workers: {get_param: NeutronWorkers} neutron::server::rpc_workers: {get_param: NeutronWorkers} neutron::server::allow_automatic_l3agent_failover: {get_param: NeutronAllowL3AgentFailover} @@ -138,7 +153,23 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - neutron::bind_host: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::tls_proxy_bind_ip: + get_param: [ServiceNetMap, NeutronApiNetwork] + tripleo::profile::base::neutron::server::tls_proxy_fqdn: + str_replace: + template: + "%{hiera('fqdn_$NETWORK')}" + params: + $NETWORK: {get_param: [ServiceNetMap, NeutronApiNetwork]} + tripleo::profile::base::neutron::server::tls_proxy_port: + get_param: [EndpointMap, NeutronInternal, port] + # Bind to localhost if internal TLS is enabled, since we put a TLS + # proxy in front. + neutron::bind_host: + if: + - use_tls_proxy + - 'localhost' + - {get_param: [ServiceNetMap, NeutronApiNetwork]} tripleo::profile::base::neutron::server::l3_ha_override: {get_param: NeutronL3HA} step_config: | include tripleo::profile::base::neutron::server @@ -159,9 +190,9 @@ outputs: - '%' - "%{hiera('mysql_bind_host')}" upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-server is running" + shell: /usr/bin/systemctl show 'neutron-server' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_api service tags: step2 service: name=neutron-server state=stopped - - name: Sync neutron_api DB - tags: step5 - command: neutron-db-manage --config-file /etc/neutron/neutron.conf --config-file /etc/neutron/plugin.ini upgrade head diff --git a/puppet/services/neutron-compute-plugin-ovn.yaml b/puppet/services/neutron-compute-plugin-ovn.yaml index ce28b5c3..e3a4da99 100644 --- a/puppet/services/neutron-compute-plugin-ovn.yaml +++ b/puppet/services/neutron-compute-plugin-ovn.yaml @@ -18,9 +18,6 @@ parameters: via parameter_defaults in the resource registry. This mapping overrides those in ServiceNetMapDefaults. type: json - OVNDbHost: - description: IP address on which the OVN DB servers are listening - type: string OVNSouthboundServerPort: description: Port of the Southbound DB Server type: number @@ -29,6 +26,16 @@ parameters: description: Tunnel encapsulation type type: string default: geneve + NeutronBridgeMappings: + description: > + The OVS logical->physical bridge mappings to use. See the Neutron + documentation for details. Defaults to mapping br-ex - the external + bridge on hosts - to a physical name 'datacentre' which can be used + to create provider networks (and we use this for the default floating + network) - if changing this either use different post-install network + scripts or be sure to keep 'datacentre' as a mapping network name + type: comma_delimited_list + default: "datacentre:br-ex" outputs: @@ -37,9 +44,16 @@ outputs: value: service_name: neutron_compute_plugin_ovn config_settings: - tripleo::profile::base::neutron::agents::ovn::ovn_db_host: {get_param: OVNDbHost} ovn::southbound::port: {get_param: OVNSouthboundServerPort} - ovn::southbound::encap_type: {get_param: OVNTunnelEncapType} + ovn::controller::ovn_encap_type: {get_param: OVNTunnelEncapType} ovn::controller::ovn_encap_ip: {get_param: [ServiceNetMap, NeutronApiNetwork]} + ovn::controller::ovn_bridge_mappings: {get_param: NeutronBridgeMappings} + tripleo.neutron_compute_plugin_ovn.firewall_rules: + '118 neutron vxlan networks': + proto: 'udp' + dport: 4789 + '119 neutron geneve networks': + proto: 'udp' + dport: 6081 step_config: | include ::tripleo::profile::base::neutron::agents::ovn diff --git a/puppet/services/neutron-dhcp.yaml b/puppet/services/neutron-dhcp.yaml index 5e7de18e..062edaa4 100644 --- a/puppet/services/neutron-dhcp.yaml +++ b/puppet/services/neutron-dhcp.yaml @@ -39,6 +39,10 @@ parameters: default: tag: openstack.neutron.agent.dhcp path: /var/log/neutron/dhcp-agent.log + NeutronDhcpAgentDnsmasqDnsServers: + default: [] + description: List of servers to use as dnsmasq forwarders + type: comma_delimited_list resources: @@ -64,6 +68,7 @@ outputs: - neutron::agents::dhcp::enable_isolated_metadata: {get_param: NeutronEnableIsolatedMetadata} neutron::agents::dhcp::enable_force_metadata: {get_param: NeutronEnableForceMetadata} neutron::agents::dhcp::enable_metadata_network: {get_param: NeutronEnableMetadataNetwork} + neutron::agents::dhcp::dnsmasq_dns_servers: {get_param: NeutronDhcpAgentDnsmasqDnsServers} tripleo.neutron_dhcp.firewall_rules: '115 neutron dhcp input': proto: 'udp' @@ -75,6 +80,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::dhcp upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-dhcp-agent is running" + shell: /usr/bin/systemctl show 'neutron-dhcp-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_dhcp service tags: step2 service: name=neutron-dhcp-agent state=stopped diff --git a/puppet/services/neutron-l3.yaml b/puppet/services/neutron-l3.yaml index 9d858441..69803551 100644 --- a/puppet/services/neutron-l3.yaml +++ b/puppet/services/neutron-l3.yaml @@ -80,6 +80,9 @@ outputs: step_config: | include tripleo::profile::base::neutron::l3 upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-l3-agent is running" + shell: /usr/bin/systemctl show 'neutron-l3-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_l3 service tags: step2 service: name=neutron-l3-agent state=stopped diff --git a/puppet/services/neutron-metadata.yaml b/puppet/services/neutron-metadata.yaml index 43066767..6f5debdd 100644 --- a/puppet/services/neutron-metadata.yaml +++ b/puppet/services/neutron-metadata.yaml @@ -70,12 +70,15 @@ outputs: - neutron::agents::metadata::shared_secret: {get_param: NeutronMetadataProxySharedSecret} neutron::agents::metadata::metadata_workers: {get_param: NeutronWorkers} neutron::agents::metadata::auth_password: {get_param: NeutronPassword} - neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + neutron::agents::metadata::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } neutron::agents::metadata::auth_tenant: 'service' neutron::agents::metadata::metadata_ip: "%{hiera('nova_metadata_vip')}" step_config: | include tripleo::profile::base::neutron::metadata upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-metadata-agent is running" + shell: /usr/bin/systemctl show 'neutron-metadata-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_metadata service tags: step2 service: name=neutron-metadata-agent state=stopped diff --git a/puppet/services/neutron-ovs-agent.yaml b/puppet/services/neutron-ovs-agent.yaml index baeb0c66..c27bb909 100644 --- a/puppet/services/neutron-ovs-agent.yaml +++ b/puppet/services/neutron-ovs-agent.yaml @@ -121,6 +121,9 @@ outputs: step_config: | include ::tripleo::profile::base::neutron::ovs upgrade_tasks: + - name: "PreUpgrade step0,validation: Check service neutron-openvswitch-agent is running" + shell: /usr/bin/systemctl show 'neutron-openvswitch-agent' --property ActiveState | grep '\bactive\b' + tags: step0,validation - name: Stop neutron_ovs_agent service tags: step2 service: name=neutron-openvswitch-agent state=stopped diff --git a/puppet/services/neutron-ovs-dpdk-agent.yaml b/puppet/services/neutron-ovs-dpdk-agent.yaml index 5c77e35d..e25bc495 100644 --- a/puppet/services/neutron-ovs-dpdk-agent.yaml +++ b/puppet/services/neutron-ovs-dpdk-agent.yaml @@ -18,6 +18,11 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + HostCpusList: + description: List of cores to be used for host process + type: string + constraints: + - allowed_pattern: "'[0-9,-]+'" NeutronDpdkCoreList: description: List of cores to be used for DPDK Poll Mode Driver type: string @@ -68,7 +73,8 @@ outputs: - neutron::agents::ml2::ovs::enable_dpdk: true neutron::agents::ml2::ovs::datapath_type: {get_param: NeutronDatapathType} neutron::agents::ml2::ovs::vhostuser_socket_dir: {get_param: NeutronVhostuserSocketDir} - vswitch::dpdk::core_list: {get_param: NeutronDpdkCoreList} + vswitch::dpdk::host_core_list: {get_param: HostCpusList} + vswitch::dpdk::pmd_core_list: {get_param: NeutronDpdkCoreList} vswitch::dpdk::memory_channels: {get_param: NeutronDpdkMemoryChannels} vswitch::dpdk::socket_mem: {get_param: NeutronDpdkSocketMemory} vswitch::dpdk::driver_type: {get_param: NeutronDpdkDriverType} diff --git a/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml new file mode 100644 index 00000000..85971f17 --- /dev/null +++ b/puppet/services/neutron-plugin-ml2-fujitsu-fossw.yaml @@ -0,0 +1,78 @@ +heat_template_version: ocata + +description: Configure hieradata for Fujitsu fossw plugin configuration + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + NeutronFujitsuFosswIps: + description: 'The List of IP address of all fos switches.' + type: comma_delimited_list + NeutronFujitsuFosswUserName: + description: 'The username of the fos switches.' + type: string + NeutronFujitsuFosswPassword: + description: 'The password of the fos switches.' + type: string + hidden: true + NeutronFujitsuFosswPort: + description: 'The port number used for SSH connection.' + type: number + default: 22 + NeutronFujitsuFosswTimeout: + description: 'The timeout os SSH connection.' + type: number + default: 30 + NeutronFujitsuFosswUdpDestPort: + description: 'The port number of VXLAN UDP destination on the fos switches.' + type: number + default: 4789 + NeutronFujitsuFosswOvsdbVlanidRangeMin: + description: 'The minimum VLAN ID in the range that is used for binding VNI and physical port.' + type: number + default: 2 + NeutronFujitsuFosswOvsdbPort: + description: 'The port number which OVSDB server on the fos switches listen.' + type: number + default: 6640 + +resources: + + NeutronMl2Base: + type: ./neutron-plugin-ml2.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for Fujitsu Fossw ML2 Driver + value: + service_name: neutron_plugin_ml2_fujitsu_fossw + config_settings: + map_merge: + - get_attr: [NeutronMl2Base, role_data, config_settings] + - neutron::plugins::ml2::fujitsu::fossw::fossw_ips: {get_param: NeutronFujitsuFosswIps} + neutron::plugins::ml2::fujitsu::fossw::username: {get_param: NeutronFujitsuFosswUserName} + neutron::plugins::ml2::fujitsu::fossw::password: {get_param: NeutronFujitsuFosswPassword} + neutron::plugins::ml2::fujitsu::fossw::port: {get_param: NeutronFujitsuFosswPort} + neutron::plugins::ml2::fujitsu::fossw::timeout: {get_param: NeutronFujitsuFosswTimeout} + neutron::plugins::ml2::fujitsu::fossw::udp_dest_port: {get_param: NeutronFujitsuFosswUdpDestPort} + neutron::plugins::ml2::fujitsu::fossw::ovsdb_vlanid_range_min: {get_param: NeutronFujitsuFosswOvsdbVlanidRangeMin} + neutron::plugins::ml2::fujitsu::fossw::ovsdb_port: {get_param: NeutronFujitsuFosswOvsdbPort} + step_config: | + include ::tripleo::profile::base::neutron::plugins::ml2 + diff --git a/puppet/services/neutron-plugin-ml2-ovn.yaml b/puppet/services/neutron-plugin-ml2-ovn.yaml index 59346edc..4d4c3900 100644 --- a/puppet/services/neutron-plugin-ml2-ovn.yaml +++ b/puppet/services/neutron-plugin-ml2-ovn.yaml @@ -18,10 +18,14 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + OVNSouthboundServerPort: + description: Port of the OVN Southbound DB server + type: number + default: 6642 OVNDbConnectionTimeout: description: Timeout in seconds for the OVSDB connection transaction type: number - default: 60 + default: 180 OVNVifType: description: Type of VIF to be used for ports type: string @@ -43,6 +47,10 @@ parameters: description: OVN notification driver for Neutron QOS service plugin type: string default: NULL + NeutronGeneveMaxHeaderSize: + description: Geneve encapsulation header size + type: number + default: 38 resources: @@ -61,10 +69,12 @@ outputs: config_settings: map_merge: - get_attr: [NeutronMl2Base, role_data, config_settings] - - neutron::plugins::ovn::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout} - neutron::plugins::ovn::neutron_sync_mode: {get_param: OVNNeutronSyncMode} - neutron::plugins::ovn::ovn_l3_mode: true - neutron::plugins::ovn::vif_type: {get_param: OVNVifType} + - ovn::southbound::port: {get_param: OVNSouthboundServerPort} + neutron::plugins::ml2::ovn::ovsdb_connection_timeout: {get_param: OVNDbConnectionTimeout} + neutron::plugins::ml2::ovn::neutron_sync_mode: {get_param: OVNNeutronSyncMode} + neutron::plugins::ml2::ovn::ovn_l3_mode: true + neutron::plugins::ml2::ovn::vif_type: {get_param: OVNVifType} neutron::server::qos_notification_drivers: {get_param: OVNQosDriver} + neutron::plugins::ml2::max_header_size: {get_param: NeutronGeneveMaxHeaderSize} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 diff --git a/puppet/services/neutron-plugin-ml2.yaml b/puppet/services/neutron-plugin-ml2.yaml index 407ce6ba..3abd04f3 100644 --- a/puppet/services/neutron-plugin-ml2.yaml +++ b/puppet/services/neutron-plugin-ml2.yaml @@ -60,12 +60,6 @@ parameters: default: 'vxlan' description: The tenant network type for Neutron. type: comma_delimited_list - NeutronSupportedPCIVendorDevs: - description: | - List of supported pci vendor devices in the format VendorID:ProductID. - By default Intel & Mellanox SR-IOV capable NICs are supported. - type: comma_delimited_list - default: ['15b3:1004','8086:10ca'] resources: NeutronBase: @@ -91,7 +85,9 @@ outputs: neutron::plugins::ml2::tunnel_id_ranges: {get_param: NeutronTunnelIdRanges} neutron::plugins::ml2::vni_ranges: {get_param: NeutronVniRanges} neutron::plugins::ml2::tenant_network_types: {get_param: NeutronNetworkType} - neutron::plugins::ml2::supported_pci_vendor_devs: {get_param: NeutronSupportedPCIVendorDevs} step_config: | include ::tripleo::profile::base::neutron::plugins::ml2 + service_config_settings: + horizon: + neutron::plugins::ml2::mechanism_drivers: {get_param: NeutronMechanismDrivers} diff --git a/puppet/services/neutron-plugin-opencontrail.yaml b/puppet/services/neutron-plugin-opencontrail.yaml deleted file mode 100644 index 976e5f19..00000000 --- a/puppet/services/neutron-plugin-opencontrail.yaml +++ /dev/null @@ -1,74 +0,0 @@ -heat_template_version: ocata - -description: > - OpenStack Neutron Opencontrail plugin - -parameters: - ServiceNetMap: - default: {} - description: Mapping of service_name -> network name. Typically set - via parameter_defaults in the resource registry. This - mapping overrides those in ServiceNetMapDefaults. - type: json - DefaultPasswords: - default: {} - type: json - EndpointMap: - default: {} - description: Mapping of service endpoint -> protocol. Typically set - via parameter_defaults in the resource registry. - type: json - AdminPassword: - description: The password for the keystone admin account, used for monitoring, querying neutron etc. - type: string - hidden: true - AdminToken: - description: The keystone auth secret and db password. - type: string - hidden: true - ContrailApiServerIp: - description: IP address of the OpenContrail API server - type: string - ContrailApiServerPort: - description: Port of the OpenContrail API - type: string - default: 8082 - ContrailMultiTenancy: - description: Whether to enable multi tenancy - type: boolean - default: false - ContrailExtensions: - description: List of OpenContrail extensions to be enabled - type: comma_delimited_list - default: '' - -resources: - - NeutronBase: - type: ./neutron-base.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - -outputs: - role_data: - description: Role data for the Neutron Opencontrail plugin - value: - service_name: neutron_plugin_opencontrail - config_settings: - map_merge: - - get_attr: [NeutronBase, role_data, config_settings] - - neutron::api_extensions_path: /usr/lib/python2.7/site-packages/neutron_plugin_contrail/extensions,/usr/lib/python2.7/site-packages/neutron_lbaas/extensions - - neutron::plugins::opencontrail::api_server_ip: {get_param: ContrailApiServerIp} - neutron::plugins::opencontrail::api_server_port: {get_param: ContrailApiServerPort} - neutron::plugins::opencontrail::multi_tenancy: {get_param: ContrailMultiTenancy} - neutron::plugins::opencontrail::contrail_extensions: {get_param: ContrailExtensions} - neutron::plugins::opencontrail::keystone_auth_url: {get_param: [EndpointMap, KeystoneInternal, uri] } - neutron::plugins::opencontrail::keystone_admin_user: admin - neutron::plugins::opencontrail::keystone_admin_tenant_name: admin - neutron::plugins::opencontrail::keystone_admin_password: {get_param: AdminPassword} - neutron::plugins::opencontrail::keystone_admin_token: {get_param: AdminToken} - step_config: | - include tripleo::profile::base::neutron::plugins::opencontrail diff --git a/puppet/services/neutron-plugin-plumgrid.yaml b/puppet/services/neutron-plugin-plumgrid.yaml index bd078074..ad1dcfb0 100644 --- a/puppet/services/neutron-plugin-plumgrid.yaml +++ b/puppet/services/neutron-plugin-plumgrid.yaml @@ -102,7 +102,7 @@ outputs: - '/ovs_neutron' - '?bind_address=' - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" - neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneAdmin, host]} + neutron::plugins::plumgrid::controller_priv_host: {get_param: [EndpointMap, KeystoneInternal, host]} neutron::plugins::plumgrid::admin_password: {get_param: AdminPassword} neutron::plugins::plumgrid::metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} neutron::plugins::plumgrid::director_server: {get_param: PLUMgridDirectorServer} diff --git a/puppet/services/nova-api.yaml b/puppet/services/nova-api.yaml index 36ac3e08..d18b5b48 100644 --- a/puppet/services/nova-api.yaml +++ b/puppet/services/nova-api.yaml @@ -58,18 +58,24 @@ parameters: default: 'public' description: Default pool for floating IP addresses type: string + NovaDbSyncTimeout: + default: 300 + description: Timeout for Nova db sync + type: number conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} resources: - ApacheServiceBase: - type: ./apache.yaml - properties: - ServiceNetMap: {get_param: ServiceNetMap} - DefaultPasswords: {get_param: DefaultPasswords} - EndpointMap: {get_param: EndpointMap} - EnableInternalTLS: {get_param: EnableInternalTLS} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # ApacheServiceBase: + # type: ./apache.yaml + # properties: + # ServiceNetMap: {get_param: ServiceNetMap} + # DefaultPasswords: {get_param: DefaultPasswords} + # EndpointMap: {get_param: EndpointMap} + # EnableInternalTLS: {get_param: EnableInternalTLS} NovaBase: type: ./nova-base.yaml @@ -90,7 +96,9 @@ outputs: config_settings: map_merge: - get_attr: [NovaBase, role_data, config_settings] - - get_attr: [ApacheServiceBase, role_data, config_settings] + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # - get_attr: [ApacheServiceBase, role_data, config_settings] - nova::cron::archive_deleted_rows::hour: '*/12' nova::cron::archive_deleted_rows::destination: '/dev/null' tripleo.nova_api.firewall_rules: @@ -104,7 +112,7 @@ outputs: nova::keystone::authtoken::project_name: 'service' nova::keystone::authtoken::password: {get_param: NovaPassword} nova::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::api::enabled: true nova::api::default_floating_pool: {get_param: NovaDefaultFloatingPool} nova::api::sync_db_api: true @@ -115,20 +123,23 @@ outputs: "%{hiera('fqdn_$NETWORK')}" params: $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::api::service_name: 'httpd' - nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + nova_wsgi_enabled: false + # nova::api::service_name: 'httpd' + # nova::wsgi::apache_api::ssl: {get_param: EnableInternalTLS} # NOTE: bind IP is found in Heat replacing the network name with the local node IP # for the given network; replacement examples (eg. for internal_api): # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} - nova::wsgi::apache_api::servername: - str_replace: - template: - "%{hiera('fqdn_$NETWORK')}" - params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + # nova::wsgi::apache_api::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + # nova::wsgi::apache_api::servername: + # str_replace: + # template: + # "%{hiera('fqdn_$NETWORK')}" + # params: + # $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} nova::api::neutron_metadata_proxy_shared_secret: {get_param: NeutronMetadataProxySharedSecret} nova::api::instance_name_template: {get_param: InstanceNameTemplate} nova_enable_db_purge: {get_param: NovaEnableDBPurge} @@ -137,7 +148,9 @@ outputs: - nova_workers_zero - {} - nova::api::osapi_compute_workers: {get_param: NovaWorkers} - nova::wsgi::apache_api::workers: {get_param: NovaWorkers} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # nova::wsgi::apache_api::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::api service_config_settings: @@ -165,3 +178,90 @@ outputs: nova::keystone::auth::admin_url: {get_param: [EndpointMap, NovaAdmin, uri]} nova::keystone::auth::password: {get_param: NovaPassword} nova::keystone::auth::region: {get_param: KeystoneRegion} + # Temporarily disable Nova API deployed in WSGI + # https://bugs.launchpad.net/nova/+bug/1661360 + # metadata_settings: + # get_attr: [ApacheServiceBase, role_data, metadata_settings] + upgrade_tasks: + - name: get bootstrap nodeid + tags: common + command: hiera bootstrap_nodeid + register: bootstrap_node + - name: set is_bootstrap_node fact + tags: common + set_fact: is_bootstrap_node={{bootstrap_node.stdout == ansible_hostname}} + - name: Extra migration for nova tripleo/+bug/1656791 + tags: step0,pre-upgrade + when: is_bootstrap_node + command: nova-manage db online_data_migrations + - name: update nova api + tags: step2 + yum: name=openstack-nova-api state=latest + - name: Stop and disable nova_api service (pre-upgrade not under httpd) + tags: step2 + service: name=openstack-nova-api state=stopped enabled=no + - name: Create puppet manifest to set transport_url in nova.conf + tags: step5 + when: is_bootstrap_node + copy: + dest: /root/nova-api_upgrade_manifest.pp + mode: 0600 + content: > + $transport_url = os_transport_url({ + 'transport' => hiera('messaging_service_name', 'rabbit'), + 'hosts' => any2array(hiera('rabbitmq_node_names', undef)), + 'port' => sprintf('%s',hiera('nova::rabbit_port', '5672') ), + 'username' => hiera('nova::rabbit_userid', 'guest'), + 'password' => hiera('nova::rabbit_password'), + 'ssl' => sprintf('%s', bool2num(str2bool(hiera('nova::rabbit_use_ssl', '0')))) + }) + oslo::messaging::default { 'nova_config': + transport_url => $transport_url + } + - name: Run puppet apply to set tranport_url in nova.conf + tags: step5 + when: is_bootstrap_node + command: puppet apply --detailed-exitcodes /root/nova-api_upgrade_manifest.pp + register: puppet_apply_nova_api_upgrade + failed_when: puppet_apply_nova_api_upgrade.rc not in [0,2] + changed_when: puppet_apply_nova_api_upgrade.rc == 2 + - name: Setup cell_v2 (map cell0) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_cell0 + - name: Setup cell_v2 (create default cell) + tags: step5 + when: is_bootstrap_node + # (owalsh) puppet-nova expects the cell name 'default' + # (owalsh) pass the db uri explicitly to avoid https://bugs.launchpad.net/tripleo/+bug/1662344 + shell: nova-manage cell_v2 create_cell --name='default' --database_connection=$(hiera nova::database_connection) + register: nova_api_create_cell + failed_when: nova_api_create_cell.rc not in [0,2] + changed_when: nova_api_create_cell.rc == 0 + - name: Setup cell_v2 (sync nova/cell DB) + tags: step5 + when: is_bootstrap_node + command: nova-manage db sync + async: {get_param: NovaDbSyncTimeout} + poll: 10 + - name: Setup cell_v2 (migrate hosts) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_cell_and_hosts + - name: Setup cell_v2 (get cell uuid) + tags: step5 + when: is_bootstrap_node + shell: nova-manage cell_v2 list_cells | sed -e '1,3d' -e '$d' | awk -F ' *| *' '$2 == "default" {print $4}' + register: nova_api_cell_uuid + - name: Setup cell_v2 (migrate instances) + tags: step5 + when: is_bootstrap_node + command: nova-manage cell_v2 map_instances --cell_uuid {{nova_api_cell_uuid.stdout}} + - name: Sync nova_api DB + tags: step5 + command: nova-manage api_db sync + when: is_bootstrap_node + - name: Online data migration for nova + tags: step5 + when: is_bootstrap_node + command: nova-manage db online_data_migrations diff --git a/puppet/services/nova-base.yaml b/puppet/services/nova-base.yaml index c448bf49..d892c36d 100644 --- a/puppet/services/nova-base.yaml +++ b/puppet/services/nova-base.yaml @@ -115,7 +115,11 @@ parameters: description: > Cron to move deleted instances to another table - Until complete default: false - + NovaPlacementAPIInterface: + type: string + description: > + Endpoint interface to be used for the placement API. + default: 'internal' conditions: @@ -134,8 +138,9 @@ outputs: nova::rabbit_port: {get_param: RabbitClientPort} nova::placement::project_name: 'service' nova::placement::password: {get_param: NovaPassword} - nova::placement::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + nova::placement::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} nova::placement::os_region_name: {get_param: KeystoneRegion} + nova::placement::os_interface: {get_param: NovaPlacementAPIInterface} nova::database_connection: list_join: - '' @@ -145,8 +150,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::api_database_connection: list_join: - '' @@ -156,8 +159,6 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_api' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::placement_database_connection: list_join: - '' @@ -167,12 +168,11 @@ outputs: - '@' - {get_param: [EndpointMap, MysqlInternal, host]} - '/nova_placement' - - '?bind_address=' - - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" nova::debug: {get_param: Debug} nova::purge_config: {get_param: EnableConfigPurge} nova::network::neutron::neutron_project_name: 'service' nova::network::neutron::neutron_username: 'neutron' + nova::network::neutron::neutron_region_name: {get_param: KeystoneRegion} nova::network::neutron::dhcp_domain: '' nova::network::neutron::neutron_password: {get_param: NeutronPassword} nova::network::neutron::neutron_url: {get_param: [EndpointMap, NeutronInternal, uri]} diff --git a/puppet/services/nova-compute.yaml b/puppet/services/nova-compute.yaml index 2312b635..9923e833 100644 --- a/puppet/services/nova-compute.yaml +++ b/puppet/services/nova-compute.yaml @@ -75,6 +75,10 @@ parameters: default: tag: openstack.nova.compute path: /var/log/nova/nova-compute.log + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: auto resources: NovaBase: @@ -141,3 +145,24 @@ outputs: # We'll probably treat it like we do with Neutron plugins. # Until then, just include it in the default nova-compute role. include tripleo::profile::base::nova::compute::libvirt + service_config_settings: + collectd: + tripleo.collectd.plugins.nova_compute: + - virt + collectd::plugins::virt::connection: "qemu:///system" + upgrade_tasks: + - name: Stop nova-compute service + tags: step2 + service: name=openstack-nova-compute state=stopped + # If not already set by puppet (e.g a pre-ocata version), set the + # upgrade_level for compute to "auto" + - name: Set compute upgrade level to auto + tags: step3 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} + - name: Start nova-compute service + tags: step6 + service: name=openstack-nova-compute state=started diff --git a/puppet/services/nova-conductor.yaml b/puppet/services/nova-conductor.yaml index b96bf6e6..7b086536 100644 --- a/puppet/services/nova-conductor.yaml +++ b/puppet/services/nova-conductor.yaml @@ -30,6 +30,10 @@ parameters: default: tag: openstack.nova.scheduler path: /var/log/nova/nova-scheduler.log + UpgradeLevelNovaCompute: + type: string + description: Nova Compute upgrade level + default: auto conditions: nova_workers_zero: {equals : [{get_param: NovaWorkers}, 0]} @@ -61,3 +65,19 @@ outputs: - nova::conductor::workers: {get_param: NovaWorkers} step_config: | include tripleo::profile::base::nova::conductor + upgrade_tasks: + - name: Stop nova_conductor service + tags: step2 + service: name=openstack-nova-conductor state=stopped + - name: update nova conductor + tags: step2 + yum: name=openstack-nova-conductor state=latest + # If not already set by puppet (e.g a pre-ocata version), set the + # upgrade_level for compute to "auto" + - name: Set compute upgrade level to auto + tags: step3 + ini_file: + str_replace: + template: "dest=/etc/nova/nova.conf section=upgrade_levels option=compute value=LEVEL" + params: + LEVEL: {get_param: UpgradeLevelNovaCompute} diff --git a/puppet/services/nova-consoleauth.yaml b/puppet/services/nova-consoleauth.yaml index 79969ded..b5a1312a 100644 --- a/puppet/services/nova-consoleauth.yaml +++ b/puppet/services/nova-consoleauth.yaml @@ -48,3 +48,7 @@ outputs: get_attr: [NovaBase, role_data, config_settings] step_config: | include tripleo::profile::base::nova::consoleauth + upgrade_tasks: + - name: Stop nova_consoleauth service + tags: step2 + service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/nova-ironic.yaml b/puppet/services/nova-ironic.yaml index 306c6b6f..5eb2170a 100644 --- a/puppet/services/nova-ironic.yaml +++ b/puppet/services/nova-ironic.yaml @@ -42,10 +42,10 @@ outputs: - nova::compute::force_config_drive: true nova::compute::reserved_host_memory: '0' nova::compute::vnc_enabled: false - nova::ironic::common::admin_password: {get_param: IronicPassword} - nova::ironic::common::admin_tenant_name: 'service' - nova::ironic::common::admin_url: {get_param: [EndpointMap, KeystoneAdmin, uri]} - nova::ironic::common::admin_username: 'ironic' + nova::ironic::common::password: {get_param: IronicPassword} + nova::ironic::common::project_name: 'service' + nova::ironic::common::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri]} + nova::ironic::common::username: 'ironic' nova::ironic::common::api_endpoint: {get_param: [EndpointMap, IronicInternal, uri]} nova::network::neutron::dhcp_domain: '' nova::scheduler::filter::scheduler_host_manager: 'ironic_host_manager' diff --git a/puppet/services/nova-libvirt.yaml b/puppet/services/nova-libvirt.yaml index a9b2b3f9..faf1ae48 100644 --- a/puppet/services/nova-libvirt.yaml +++ b/puppet/services/nova-libvirt.yaml @@ -62,6 +62,7 @@ outputs: nova::compute::libvirt::qemu::configure_qemu: true nova::compute::libvirt::qemu::max_files: 32768 nova::compute::libvirt::qemu::max_processes: 131072 + nova::compute::libvirt::vncserver_listen: {get_param: [ServiceNetMap, NovaLibvirtNetwork]} tripleo.nova_libvirt.firewall_rules: '200 nova_libvirt': dport: diff --git a/puppet/services/nova-placement.yaml b/puppet/services/nova-placement.yaml index 82b83561..5564c1b3 100644 --- a/puppet/services/nova-placement.yaml +++ b/puppet/services/nova-placement.yaml @@ -86,13 +86,13 @@ outputs: # internal_api -> IP # internal_api_uri -> [IP] # internal_api_subnet - > IP/CIDR - nova::wsgi::apache_placement::bind_host: {get_param: [ServiceNetMap, NovaApiNetwork]} + nova::wsgi::apache_placement::bind_host: {get_param: [ServiceNetMap, NovaPlacementNetwork]} nova::wsgi::apache_placement::servername: str_replace: template: "%{hiera('fqdn_$NETWORK')}" params: - $NETWORK: {get_param: [ServiceNetMap, NovaApiNetwork]} + $NETWORK: {get_param: [ServiceNetMap, NovaPlacementNetwork]} - if: - nova_workers_zero @@ -118,3 +118,7 @@ outputs: nova::db::mysql_placement::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop nova_placement service (running under httpd) + tags: step2 + service: name=httpd state=stopped diff --git a/puppet/services/nova-scheduler.yaml b/puppet/services/nova-scheduler.yaml index 353a75ac..0e0b9d1e 100644 --- a/puppet/services/nova-scheduler.yaml +++ b/puppet/services/nova-scheduler.yaml @@ -63,3 +63,10 @@ outputs: nova::scheduler::filter::scheduler_default_filters: {get_param: NovaSchedulerDefaultFilters} step_config: | include tripleo::profile::base::nova::scheduler + upgrade_tasks: + - name: Stop nova_scheduler service + tags: step2 + service: name=openstack-nova-scheduler state=stopped + - name: update nova scheduler + tags: step2 + yum: name=openstack-nova-scheduler state=latest diff --git a/puppet/services/nova-vnc-proxy.yaml b/puppet/services/nova-vnc-proxy.yaml index bf244943..f6cf9649 100644 --- a/puppet/services/nova-vnc-proxy.yaml +++ b/puppet/services/nova-vnc-proxy.yaml @@ -64,3 +64,7 @@ outputs: - 13080 step_config: | include tripleo::profile::base::nova::vncproxy + upgrade_tasks: + - name: Stop nova_vnc_proxy service + tags: step2 + service: name=openstack-nova-consoleauth state=stopped diff --git a/puppet/services/octavia-api.yaml b/puppet/services/octavia-api.yaml new file mode 100644 index 00000000..37ba1f73 --- /dev/null +++ b/puppet/services/octavia-api.yaml @@ -0,0 +1,99 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia API service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaPassword: + description: The password for the Octavia's database account. + type: string + hidden: true + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + MonitoringSubscriptionOctaviaApi: + default: 'overcloud-octavia-api' + type: string + OctaviaApiLoggingSource: + type: json + default: + tag: openstack.octavia.api + path: /var/log/octavia/api.log + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia API service. + value: + service_name: octavia_api + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaApi} + logging_source: {get_param: OctaviaApiLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } + octavia::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://octavia:' + - {get_param: OctaviaPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/octavia' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + octavia::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} + octavia::keystone::authtoken::project_name: 'service' + octavia::keystone::authtoken::password: {get_param: OctaviaPassword} + octavia::api::sync_db: true + tripleo.octavia_api.firewall_rules: + '120 octavia api': + dport: + - 9876 + - 13876 + octavia::api::host: {get_param: [ServiceNetMap, OctaviaApiNetwork]} + neutron::server::service_providers: ['LOADBALANCERV2:Octavia:neutron_lbaas.drivers.octavia.driver.OctaviaDriver:default'] + step_config: | + include tripleo::profile::base::octavia::api + service_config_settings: + keystone: + octavia::keystone::auth::tenant: 'service' + octavia::keystone::auth::public_url: {get_param: [EndpointMap, OctaviaPublic, uri]} + octavia::keystone::auth::internal_url: { get_param: [ EndpointMap, OctaviaInternal, uri ] } + octavia::keystone::auth::admin_url: { get_param: [ EndpointMap, OctaviaAdmin, uri ] } + octavia::keystone::auth::password: {get_param: OctaviaPassword} + octavia::keystone::auth::region: {get_param: KeystoneRegion} + mysql: + octavia::db::mysql::password: {get_param: OctaviaPassword} + octavia::db::mysql::user: octavia + octavia::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + octavia::db::mysql::dbname: octavia + octavia::db::mysql::allowed_hosts: + - '%' + - "%{hiera('mysql_bind_host')}" diff --git a/puppet/services/octavia-base.yaml b/puppet/services/octavia-base.yaml new file mode 100644 index 00000000..b537a2bc --- /dev/null +++ b/puppet/services/octavia-base.yaml @@ -0,0 +1,62 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia base service. Shared for all Octavia services + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + Debug: + type: string + default: '' + description: Set to True to enable debugging on all services. + EnableConfigPurge: + type: boolean + default: true + description: > + Remove configuration that is not generated by TripleO. Setting + to false may result in configuration remnants after updates/upgrades. + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Base role data for Octavia services + value: + service_name: octavia_base + config_settings: + octavia::debug: {get_param: Debug} + octavia::purge_config: {get_param: EnableConfigPurge} + octavia::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + tripleo::profile::base::octavia::rabbit_user: {get_param: RabbitUserName} + tripleo::profile::base::octavia::rabbit_password: {get_param: RabbitPassword} + tripleo::profile::base::octavia::rabbit_port: {get_param: RabbitClientPort} + diff --git a/puppet/services/octavia-health-manager.yaml b/puppet/services/octavia-health-manager.yaml new file mode 100644 index 00000000..51d32f23 --- /dev/null +++ b/puppet/services/octavia-health-manager.yaml @@ -0,0 +1,61 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Health Manager service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionOctaviaHealthManager: + default: 'overcloud-octavia-health-manager' + type: string + OctaviaHealthManagerLoggingSource: + type: json + default: + tag: openstack.octavia.health-manager + path: /var/log/octavia/health-manager.log + OctaviaHeartbeatKey: + type: string + description: Key to identify heartbeat messages for amphorae. + hidden: true + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia Health Manager service. + value: + service_name: octavia_health_manager + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHealthManager} + logging_source: {get_param: OctaviaHealthManagerLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::health_manager::heartbeat_key: {get_param: OctaviaHeartbeatKey} + octavia::health_manager::event_streamer_driver: 'queue_event_streamer' + step_config: | + include tripleo::profile::base::octavia::health_manager + + + diff --git a/puppet/services/octavia-housekeeping.yaml b/puppet/services/octavia-housekeeping.yaml new file mode 100644 index 00000000..84c33433 --- /dev/null +++ b/puppet/services/octavia-housekeeping.yaml @@ -0,0 +1,70 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Housekeeping service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + OctaviaAmphoraExpiryAge: + default: 0 + description: The interval in seconds after which an unused Amphora will + be considered expired and cleaned up. If left to 0, the + configuration will not be set and the system will use + the service defaults. + type: number + MonitoringSubscriptionOctaviaHousekeeping: + default: 'overcloud-octavia-housekeeping' + type: string + OctaviaHousekeepingLoggingSource: + type: json + default: + tag: openstack.octavia.housekeeping + path: /var/log/octavia/housekeeping.log + +conditions: + amphora_expiry_is_zero: {equals: [{get_param: OctaviaAmphoraExpiryAge}, 0]} + + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia Housekeeping service. + value: + service_name: octavia_housekeeping + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaHousekeeping} + logging_source: {get_param: OctaviaHousekeepingLoggingSource} + logging_groups: + - octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - + if: + - amphora_expiry_is_zero + - {} + - octavia::worker::amphora_expiry_age: {get_param: OctaviaAmphoraExpiryAge} + step_config: | + include tripleo::profile::base::octavia::housekeeping + + diff --git a/puppet/services/octavia-worker.yaml b/puppet/services/octavia-worker.yaml new file mode 100644 index 00000000..9212b76b --- /dev/null +++ b/puppet/services/octavia-worker.yaml @@ -0,0 +1,102 @@ +heat_template_version: ocata + +description: > + OpenStack Octavia Worker service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + MonitoringSubscriptionOctaviaWorker: + default: 'overcloud-octavia-worker' + type: string + OctaviaWorkerLoggingSource: + type: json + default: + tag: openstack.octavia.worker + path: /var/log/octavia/worker.log + OctaviaAmphoraImageTag: + default: '' + description: Glance image tag for identifying the amphora image. + type: string + OctaviaAmphoraNetworkList: + default: [] + description: List of networks to attach to amphorae. + type: comma_delimited_list + OctaviaLoadBalancerTopology: + default: '' + description: Load balancer topology configuration. + type: string + OctaviaFlavorId: + default: 65 + description: Nova flavor ID to be used when creating the nova flavor for + amphora. + type: number + OctaviaFlavorProperties: + default: {} + description: Dictionary describing the nova flavor for amphora. + type: json + OctaviaManageNovaFlavor: + default: false + description: Configure the nova flavor for the amphora. + type: boolean + OctaviaSSHKeyName: + default: 'octavia-ssh-key' + description: name for ssh key to be configured so the amphora can + be logged into. + type: string + +conditions: + octavia_topology_unset: {equals : [{get_param: OctaviaLoadBalancerTopology}, ""]} + octavia_amphora_tag_unset: {equals: [{get_param: OctaviaAmphoraImageTag}, ""]} + +resources: + + OctaviaBase: + type: ./octavia-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Octavia WoWorker service. + value: + service_name: octavia_worker + monitoring_subscription: {get_param: MonitoringSubscriptionOctaviaWorker} + logging_source: {get_param: OctaviaWorkerLoggingSource} + logging_groups: + -octavia + config_settings: + map_merge: + - get_attr: [OctaviaBase, role_data, config_settings] + - octavia::worker::amp_boot_network_list: {get_param: OctaviaAmphoraNetworkList} + octavia::worker::amp_flavor_id: {get_param: OctaviaFlavorId} + octavia::worker::nova_flavor_config: {get_param: OctaviaFlavorProperties} + octavia::worker::manage_nova_flavor: {get_param: OctaviaManageNovaFlavor} + octavia::worker::ssh_key_name: {get_param: OctaviaSSHKeyName} + - + if: + - octavia_amphora_tag_unset + - {} + - octavia::worker::amp_image_tag: {get_param: OctaviaAmphoraImageTag} + - + if: + - octavia_topology_unset + - {} + - octavia::worker::loadbalancer_topology: {get_param: OctaviaLoadBalancerTopology} + step_config: | + include tripleo::profile::base::octavia::worker + diff --git a/puppet/services/pacemaker.yaml b/puppet/services/pacemaker.yaml index 9adf1bdb..ca21cfbe 100644 --- a/puppet/services/pacemaker.yaml +++ b/puppet/services/pacemaker.yaml @@ -29,11 +29,22 @@ parameters: default: false description: Whether to enable fencing in Pacemaker or not. type: boolean + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' PcsdPassword: type: string description: The password for the 'pcsd' user for pacemaker. hidden: true default: '' + CorosyncSettleTries: + type: number + description: Number of tries for cluster settling. This has the + same default as the pacemaker puppet module. Override + to a smaller value when in need to replace a controller node. + default: 360 FencingConfig: default: {} description: | @@ -76,6 +87,10 @@ parameters: \[(?<pid>[^ ]*)\] (?<host>[^ ]*) (?<message>.*)$/ + PacemakerResources: + type: comma_delimited_list + description: List of resources managed by pacemaker + default: ['rabbitmq','haproxy'] outputs: role_data: @@ -92,6 +107,7 @@ outputs: pacemaker::resource_defaults::defaults: resource-stickiness: { value: INFINITY } corosync_token_timeout: 10000 + pacemaker::corosync::settle_tries: {get_param: CorosyncSettleTries} tripleo.pacemaker.firewall_rules: '130 pacemaker tcp': proto: 'tcp' @@ -112,5 +128,20 @@ outputs: passwords: - {get_param: PcsdPassword} - {get_param: [DefaultPasswords, pcsd_password]} + tripleo::profile::base::pacemaker::remote_authkey: {get_param: PacemakerRemoteAuthkey} step_config: | include ::tripleo::profile::base::pacemaker + upgrade_tasks: + - name: Check pacemaker cluster running before upgrade + tags: step0,validation + pacemaker_cluster: state=online check_and_fail=true + - name: Stop pacemaker cluster + tags: step1 + pacemaker_cluster: state=offline + - name: Start pacemaker cluster + tags: step4 + pacemaker_cluster: state=online + - name: Check pacemaker resource + tags: step4 + pacemaker_resource: state=started resource={{item}} check_mode=true wait_for_resource=true timeout=200 + with_items: {get_param: PacemakerResources} diff --git a/puppet/services/pacemaker/ceph-rbdmirror.yaml b/puppet/services/pacemaker/ceph-rbdmirror.yaml new file mode 100644 index 00000000..7686028d --- /dev/null +++ b/puppet/services/pacemaker/ceph-rbdmirror.yaml @@ -0,0 +1,47 @@ +heat_template_version: ocata + +description: > + Ceph RBD mirror service. + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + CephClientUserName: + default: openstack + type: string + +resources: + CephBase: + type: ../ceph-base.yaml + properties: + ServiceNetMap: {get_param: ServiceNetMap} + DefaultPasswords: {get_param: DefaultPasswords} + EndpointMap: {get_param: EndpointMap} + +outputs: + role_data: + description: Role data for the Ceph RBD mirrror service. + value: + service_name: ceph_rbdmirror + config_settings: + map_merge: + - get_attr: [CephBase, role_data, config_settings] + - tripleo::profile::pacemaker::ceph::rbdmirror::client_name: {get_param: CephClientUserName} + tripleo.ceph_rbdmirror.firewall_rules: + '113 ceph_rbdmirror': + dport: + - '6800-7300' + step_config: | + include ::tripleo::profile::pacemaker::ceph::rbdmirror
\ No newline at end of file diff --git a/puppet/services/pacemaker/database/mysql.yaml b/puppet/services/pacemaker/database/mysql.yaml index 511a01ab..93bf5967 100644 --- a/puppet/services/pacemaker/database/mysql.yaml +++ b/puppet/services/pacemaker/database/mysql.yaml @@ -53,6 +53,8 @@ outputs: get_param: [ServiceNetMap, MysqlNetwork] step_config: | include ::tripleo::profile::pacemaker::database::mysql + metadata_settings: + get_attr: [MysqlBase, role_data, metadata_settings] upgrade_tasks: - name: Check for galera root password tags: step0 diff --git a/puppet/services/pacemaker/haproxy.yaml b/puppet/services/pacemaker/haproxy.yaml index 50da4119..598deaef 100644 --- a/puppet/services/pacemaker/haproxy.yaml +++ b/puppet/services/pacemaker/haproxy.yaml @@ -40,3 +40,5 @@ outputs: tripleo::haproxy::mysql_clustercheck: true step_config: | include ::tripleo::profile::pacemaker::haproxy + metadata_settings: + get_attr: [LoadbalancerServiceBase, role_data, metadata_settings] diff --git a/puppet/services/pacemaker_remote.yaml b/puppet/services/pacemaker_remote.yaml new file mode 100644 index 00000000..daee43e6 --- /dev/null +++ b/puppet/services/pacemaker_remote.yaml @@ -0,0 +1,57 @@ +heat_template_version: ocata + +description: > + Pacemaker remote service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + PacemakerRemoteAuthkey: + type: string + description: The authkey for the pacemaker remote service. + hidden: true + default: '' + MonitoringSubscriptionPacemakerRemote: + default: 'overcloud-pacemaker_remote' + type: string + PacemakerRemoteLoggingSource: + type: json + default: + tag: system.pacemaker_remote + path: /var/log/pacemaker.log + format: >- + /^(?<time>[^ ]*\s*[^ ]* [^ ]*) + \[(?<pid>[^ ]*)\] + (?<host>[^ ]*) + (?<message>.*)$/ + +outputs: + role_data: + description: Role data for the Pacemaker remote role. + value: + service_name: pacemaker_remote + monitoring_subscription: {get_param: MonitoringSubscriptionPacemakerRemote} + logging_groups: + - haclient + logging_source: {get_param: PacemakerRemoteLoggingSource} + config_settings: + tripleo.pacemaker_remote.firewall_rules: + '130 pacemaker_remote tcp': + proto: 'tcp' + dport: + - 3121 + tripleo::profile::base::pacemaker_remote::remote_authkey: {get_param: PacemakerRemoteAuthkey} + step_config: | + include ::tripleo::profile::base::pacemaker_remote diff --git a/puppet/services/panko-api.yaml b/puppet/services/panko-api.yaml index 06284fb2..4b74ad45 100644 --- a/puppet/services/panko-api.yaml +++ b/puppet/services/panko-api.yaml @@ -82,3 +82,5 @@ outputs: get_attr: [PankoBase, role_data, service_config_settings] step_config: | include tripleo::profile::base::panko::api + metadata_settings: + get_attr: [ApacheServiceBase, role_data, metadata_settings] diff --git a/puppet/services/panko-base.yaml b/puppet/services/panko-base.yaml index 6e25d796..2c2586af 100644 --- a/puppet/services/panko-base.yaml +++ b/puppet/services/panko-base.yaml @@ -53,7 +53,7 @@ outputs: panko::keystone::authtoken::project_name: 'service' panko::keystone::authtoken::password: {get_param: PankoPassword} panko::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + panko::keystone::authtoken::auth_url: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } panko::auth::auth_password: {get_param: PankoPassword} panko::auth::auth_region: 'regionOne' panko::auth::auth_tenant_name: 'service' diff --git a/puppet/services/sahara-api.yaml b/puppet/services/sahara-api.yaml index 9e494385..8573ea81 100644 --- a/puppet/services/sahara-api.yaml +++ b/puppet/services/sahara-api.yaml @@ -90,3 +90,7 @@ outputs: sahara::db::mysql::allowed_hosts: - '%' - "%{hiera('mysql_bind_host')}" + upgrade_tasks: + - name: Stop sahara_api service + tags: step2 + service: name=openstack-sahara-api state=stopped diff --git a/puppet/services/sahara-base.yaml b/puppet/services/sahara-base.yaml index b4307053..e2084186 100644 --- a/puppet/services/sahara-base.yaml +++ b/puppet/services/sahara-base.yaml @@ -73,7 +73,7 @@ outputs: sahara::debug: {get_param: Debug} sahara::admin_password: {get_param: SaharaPassword} sahara::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri] } - sahara::identity_uri: { get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix] } + sahara::identity_uri: { get_param: [EndpointMap, KeystoneInternal, uri_no_suffix] } sahara::use_neutron: true sahara::plugins: {get_param: SaharaPlugins} sahara::rpc_backend: rabbit diff --git a/puppet/services/sahara-engine.yaml b/puppet/services/sahara-engine.yaml index a1521c28..987fe25b 100644 --- a/puppet/services/sahara-engine.yaml +++ b/puppet/services/sahara-engine.yaml @@ -49,3 +49,10 @@ outputs: - get_attr: [SaharaBase, role_data, config_settings] step_config: | include ::tripleo::profile::base::sahara::engine + upgrade_tasks: + - name: Stop sahara_engine service + tags: step2 + service: name=openstack-sahara-engine state=stopped + - name: Sync sahara_engine DB + tags: step5 + command: sahara-db-manage --config-file /etc/sahara/sahara.conf upgrade head diff --git a/puppet/services/services.yaml b/puppet/services/services.yaml index 90268c78..80da5352 100644 --- a/puppet/services/services.yaml +++ b/puppet/services/services.yaml @@ -118,4 +118,9 @@ outputs: # Note we use distinct() here to filter any identical tasks, e.g yum update for all services expression: $.data.where($ != null).select($.get('upgrade_tasks')).where($ != null).flatten().distinct() data: {get_attr: [ServiceChain, role_data]} + upgrade_batch_tasks: + yaql: + # Note we use distinct() here to filter any identical tasks, e.g yum update for all services + expression: $.data.where($ != null).select($.get('upgrade_batch_tasks')).where($ != null).flatten().distinct() + data: {get_attr: [ServiceChain, role_data]} service_metadata_settings: {get_attr: [ServiceServerMetadataHook, metadata]} diff --git a/puppet/services/snmp.yaml b/puppet/services/snmp.yaml index be9d143e..fd6ed818 100644 --- a/puppet/services/snmp.yaml +++ b/puppet/services/snmp.yaml @@ -43,3 +43,7 @@ outputs: proto: 'udp' step_config: | include ::tripleo::profile::base::snmp + upgrade_tasks: + - name: Stop snmp service + tags: step2 + service: name=snmpd state=stopped diff --git a/puppet/services/neutron-compute-plugin-opencontrail.yaml b/puppet/services/sshd.yaml index bbe4a051..41e144a0 100644 --- a/puppet/services/neutron-compute-plugin-opencontrail.yaml +++ b/puppet/services/sshd.yaml @@ -1,7 +1,7 @@ heat_template_version: ocata description: > - OpenStack Neutron Compute OpenContrail plugin + Configure sshd_config parameters: ServiceNetMap: @@ -18,12 +18,17 @@ parameters: description: Mapping of service endpoint -> protocol. Typically set via parameter_defaults in the resource registry. type: json + BannerText: + default: '' + description: Configures Banner text in sshd_config + type: string outputs: role_data: - description: Role data for the Neutron Compute OpenContrail plugin + description: Role data for the ssh value: - service_name: neutron_compute_plugin_opencontrail + service_name: sshd config_settings: + BannerText: {get_param: BannerText} step_config: | - include ::tripleo::profile::base::neutron::opencontrail::vrouter + include ::tripleo::profile::base::sshd diff --git a/puppet/services/swift-proxy.yaml b/puppet/services/swift-proxy.yaml index 62d227a2..526fa888 100644 --- a/puppet/services/swift-proxy.yaml +++ b/puppet/services/swift-proxy.yaml @@ -57,6 +57,12 @@ parameters: default: 5672 description: Set rabbit subscriber port, change this if using SSL type: number + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string conditions: @@ -81,7 +87,7 @@ outputs: - get_attr: [SwiftBase, role_data, config_settings] - swift::proxy::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} - swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + swift::proxy::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} swift::proxy::authtoken::password: {get_param: SwiftPassword} swift::proxy::authtoken::project_name: 'service' swift::proxy::node_timeout: {get_param: SwiftProxyNodeTimeout} @@ -91,6 +97,7 @@ outputs: swift::proxy::staticweb::url_base: {get_param: [EndpointMap, SwiftPublic, uri_no_suffix]} swift::proxy::ceilometer::nonblocking_notify: true tripleo::profile::base::swift::proxy::rabbit_port: {get_param: RabbitClientPort} + tripleo::profile::base::swift::proxy::ceilometer_messaging_use_ssl: {get_param: RabbitClientUseSSL} tripleo::profile::base::swift::proxy::ceilometer_enabled: {get_param: SwiftCeilometerPipelineEnabled} tripleo.swift_proxy.firewall_rules: '122 swift proxy': diff --git a/puppet/services/swift-ringbuilder.yaml b/puppet/services/swift-ringbuilder.yaml index a7ba7bad..2e3c818f 100644 --- a/puppet/services/swift-ringbuilder.yaml +++ b/puppet/services/swift-ringbuilder.yaml @@ -43,6 +43,16 @@ parameters: description: 'Use a local directory for Swift storage services when building rings' type: boolean +conditions: + swift_use_local_dir: + and: + - equals: + - get_param: SwiftUseLocalDir + - true + - equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for Swift Ringbuilder configuration. @@ -59,7 +69,7 @@ outputs: expression: $.data.raw_disk_lists.flatten() data: raw_disk_lists: - - {if: [{get_param: SwiftUseLocalDir}, [':%PORT%/d1'], []]} + - {if: [swift_use_local_dir, [':%PORT%/d1'], []]} - repeat: template: ':%PORT%/DEVICE' for_each: diff --git a/puppet/services/swift-storage.yaml b/puppet/services/swift-storage.yaml index 08df928d..247b23ff 100644 --- a/puppet/services/swift-storage.yaml +++ b/puppet/services/swift-storage.yaml @@ -56,6 +56,17 @@ resources: DefaultPasswords: {get_param: DefaultPasswords} EndpointMap: {get_param: EndpointMap} +conditions: + swift_mount_check: + or: + - equals: + - get_param: SwiftMountCheck + - true + - not: + equals: + - get_param: SwiftRawDisks + - {} + outputs: role_data: description: Role data for the Swift Proxy role. @@ -65,7 +76,7 @@ outputs: config_settings: map_merge: - get_attr: [SwiftBase, role_data, config_settings] - - swift::storage::all::mount_check: {get_param: SwiftMountCheck} + - swift::storage::all::mount_check: {if: [swift_mount_check, true, false]} tripleo::profile::base::swift::storage::enable_swift_storage: {get_param: ControllerEnableSwiftStorage} tripleo.swift_storage.firewall_rules: '123 swift storage': diff --git a/puppet/services/tacker.yaml b/puppet/services/tacker.yaml new file mode 100644 index 00000000..5cf09a6d --- /dev/null +++ b/puppet/services/tacker.yaml @@ -0,0 +1,91 @@ +heat_template_version: ocata + +description: > + OpenStack Tacker service configured with Puppet + +parameters: + ServiceNetMap: + default: {} + description: Mapping of service_name -> network name. Typically set + via parameter_defaults in the resource registry. This + mapping overrides those in ServiceNetMapDefaults. + type: json + DefaultPasswords: + default: {} + type: json + EndpointMap: + default: {} + description: Mapping of service endpoint -> protocol. Typically set + via parameter_defaults in the resource registry. + type: json + TackerPassword: + description: The password for the tacker service account. + type: string + hidden: true + Debug: + type: string + default: '' + KeystoneRegion: + type: string + default: 'regionOne' + description: Keystone region for endpoint + RabbitPassword: + description: The password for RabbitMQ + type: string + hidden: true + RabbitUserName: + default: guest + description: The username for RabbitMQ + type: string + RabbitClientUseSSL: + default: false + description: > + Rabbit client subscriber parameter to specify + an SSL connection to the RabbitMQ host. + type: string + RabbitClientPort: + default: 5672 + description: Set rabbit subscriber port, change this if using SSL + type: number + +outputs: + role_data: + description: Role data for the Tacker role. + value: + service_name: tacker + config_settings: + tacker_password: {get_param: TackerPassword} + tacker::db::database_connection: + list_join: + - '' + - - {get_param: [EndpointMap, MysqlInternal, protocol]} + - '://tacker:' + - {get_param: TackerPassword} + - '@' + - {get_param: [EndpointMap, MysqlInternal, host]} + - '/tacker' + - '?bind_address=' + - "%{hiera('tripleo::profile::base::database::mysql::client_bind_address')}" + + tacker::keystone::auth::tenant: 'service' + tacker::keystone::auth::password: {get_param: TackerPassword} + tacker::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} + tacker::debug: {get_param: Debug} + tacker::rpc_backend: rabbit + tacker::rabbit_userid: {get_param: RabbitUserName} + tacker::rabbit_password: {get_param: RabbitPassword} + tacker::rabbit_use_ssl: {get_param: RabbitClientUseSSL} + tacker::rabbit_port: {get_param: RabbitClientPort} + tacker::server::bind_host: {get_param: [ServiceNetMap, TackerApiNetwork]} + + tacker::db::mysql::password: {get_param: TackerPassword} + tacker::db::mysql::user: tacker + tacker::db::mysql::host: {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + tacker::db::mysql::dbname: tacker + tacker::db::mysql::allowed_hosts: + - '%' + - {get_param: [EndpointMap, MysqlInternal, host_nobrackets]} + + + step_config: | + include ::tripleo::profile::base::tacker diff --git a/puppet/services/zaqar.yaml b/puppet/services/zaqar.yaml index 0224ac13..cb860fa8 100644 --- a/puppet/services/zaqar.yaml +++ b/puppet/services/zaqar.yaml @@ -40,7 +40,7 @@ outputs: config_settings: zaqar::keystone::authtoken::password: {get_param: ZaqarPassword} zaqar::keystone::authtoken::project_name: 'service' - zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneAdmin, uri_no_suffix]} + zaqar::keystone::authtoken::auth_url: {get_param: [EndpointMap, KeystoneInternal, uri_no_suffix]} zaqar::keystone::authtoken::auth_uri: {get_param: [EndpointMap, KeystoneInternal, uri]} zaqar::debug: {get_param: Debug} zaqar::transport::websocket::bind: {get_param: [EndpointMap, ZaqarInternal, host]} diff --git a/puppet/upgrade_config.yaml b/puppet/upgrade_config.yaml index e892d813..2cfd43f4 100644 --- a/puppet/upgrade_config.yaml +++ b/puppet/upgrade_config.yaml @@ -11,6 +11,11 @@ parameters: type: string description: Step number of the upgrade + SkipUpgradeConfigTags: + type: comma_delimited_list + description: Ansible tags to skip during upgrade, e.g validation skips pre-upgrade validations + default: [] + resources: AnsibleConfig: @@ -30,9 +35,13 @@ resources: properties: group: ansible options: + skip_tags: + list_join: + - "," + - {get_param: SkipUpgradeConfigTags} tags: str_replace: - template: "stepSTEP" + template: "common,stepSTEP" params: STEP: {get_param: step} modulepath: /usr/share/ansible-modules diff --git a/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml new file mode 100644 index 00000000..f9afb18d --- /dev/null +++ b/releasenotes/notes/6.0.0-b52a14a71fc62788.yaml @@ -0,0 +1,125 @@ +--- +prelude: > + 6.0.0 is the final release for Ocata. + It's the first release where release notes are added. +features: + - Fujitsu Neutron plugin for FOS support. Users can deploy + Neutron with this plugin by using + environments/neutron-ml2-fujitsu-fossw.yaml environment file. + - Expose InstanceDiscoveryMethod parameter to configure Ceilometer + method used to discover instances running on compute node. + Default value to 'libvirt_metadata'. Allowed values are 'naive', + 'libvirt_metadata' and 'workload_partitioning'. + - Make ServiceNetMap support custom network names. + Note that operators will still be expected to pass any ServiceNetMap + overrides with the "new" network name, e.g whatever NetName specifies, + otherwise environment files could get very confusing. + - Nova Placement API support. As this new service is required, deploy it + by default in WSGI with Apache, like other API services. + - Cinder pass-through iSER backend support. + - etcd composable services, used by networking-vpp ML2 driver as the + messaging mechanism. + - Allow to configure cron parameters for Cinder, Heat, Keystone and Nova + crontabs. + - Export NovaDefaultFloatingPool parameter to configure the default pool + of floating IP addressed available. Default to 'public' for backward + compatibility. + - Bump Heat Templates to 'ocata' version, to match Heat requirements. + - Configure OVS agent firewall driver only if NeutronOVSFirewallDriver + is set. + - Expose RbdDefaultFeatures parameter to configure the default features + enabled when creating a block device image. + Only applies to format '2' images. Set to '1' for Jewel clients using + older Ceph servers. + - Cinder HPELeftHandISCSIDriver backend support. + - Pacemaker stopped to manage Ceilometer, Cinder API, + Cinder Scheduler, MongoDB, Glance, Gnocchi, Heat, Apache, Memcached, + Neutron, Nova and Sahara. + - Ceph MDS service support. Service can be enable with + environments/services/ceph-mds.yaml environment file. + - Expose HeatConvergenceEngine and HeatMaxResourcesPerStack parameters + to configure Heat. + - Add pre-network hook and example showing config-then-reboot. + - Expose LibvirtEnabledPerfEvents parameter in Nova Compute service. + Default to an empty array. + This is a performance event list which could be used as monitor. + - Increase libvirt/qemu.conf max_files to 32768 and max_processes to + 131072. + - Split OVN northd and ml2 plugin, so we can deploy OVNDBs and Northd + services on different nodes. + - Add hook to generate metadata from service profiles. + This is useful for nova vendordata plugins that can parse said metadata. + - Expose EventPipelinePublishers to Ceilometer and set the default to + 'notifier://?topic=alarm.all'. + - Add Panko service support. This service is not enabled by default. Use + environments/services/enable-panko.yaml to include it in your deployment. + - Add EC2-API composable service support. + - Allow dnsmasq_dns_servers to be configured for Neutron DHCP Agent with a + new parameter (NeutronDhcpAgentDnsmasqDnsServers, default to []). + - Add support for Ceph RBD mirroring daemon managed by Pacemaker. + - Add deployed server bootstrap for RHEL. + - Configure VNC Server listen address on internal_api network by default. + - Support for Cinder Dell EMC PS Series. + - Support for Cinder Dell EMC EMC Storage Center. + - Support for Octavia composable services for LBaaS with Neutron. + - Support for Collectd composable services for performance monitoring. + - Support for Tacker composable service for VNF management. +upgrade: + - Update OpenDaylight deployment to use networking-odl v2 as a mechanism + driver. + - Update Contrail composable services. +deprecations: + - Glance Registry service has been removed and Glance API v2 is now deploy + by default. Glance API v1 is not supported anymore in TripleO. + - Remove CeilometerStoreEvents parameter, which has been removed + in Ceilometer. + - Ceilometer API service is deprecated and will be removed in a future + release. If you would like to disable it, use + environments/services/disable-ceilometer-api.yaml environment file. + - Removes deprecated OpenDaylight L2 only deployments. + Deploying ODL without L3 DVR is no longer supported. +security: + - Enable management of 'DISALLOW_IFRAME_EMBED' in Horizon configuration to + prevent dashboard being embedded within an iframe and exposed to Cross-Frame + Scripting (XFS) vulnerability on legacy browsers. + - Enable management of 'ENFORCE_PASSWORD_CHECK' in Horizons configuration to + display an Admin Password field on the Change Password form to verify that + it is indeed the admin logged-in who wants to change the password. + - Enable management of 'DISABLE_PASSWORD_REVEAL' in Horizon, to remove the + password reveal option. + - Enable 'SECURE_PROXY_SSL_HEADER' option in Horizons configuration to take + X-Forwarded-Proto header into account when forming URLs. + - Enable management of ENFORCE_PASSWORD_CHECK value. By setting + 'ENFORCE_PASSWORD_CHECK' to 'True' within Horizons local_settings.py, it + displays an ‘Admin Password’ field on the “Change Password” form to verify + that it is the admin logged-in that wants to perform the password change. + - Enable management of Horizons Password Validation. Enables injection of an + operators own password validation regex via a heat template. + - Enable management of '/etc/issue Banner' whereby an operator can populate + their own Banner warning text to be displayed upon terminal login. + - Enable management of auditd system. '/etc/audit/audit.rules' can now be + populated by means of a heat template. +fixes: + - Fixes `bug 1645898 + <https://bugs.launchpad.net/tripleo/+bug/1645898>`__ so epmd is binded on + the right address, where RabbitMQ is listening too. + - Fixes `bug 1652184 + <https://bugs.launchpad.net/tripleo/+bug/1652184>`__ so swap partitions + can be handled from an environment file thanks to AllNodesExtraConfig. + - Add retry to RHEL registration, useful when having network outages during + registration. + - Fixes `bug 1651476 + <https://bugs.launchpad.net/tripleo/+bug/1651476>`__ so firewall rules + are created for Opendaylight API service. + - Fixes `bug 1643487 + <https://bugs.launchpad.net/tripleo/+bug/1643487>`__ to prevent source + address from binding to a VIP for database connection. + - Fixes `bug 1649836 + <https://bugs.launchpad.net/tripleo/+bug/1649836>`__ to configure + DPDK options to isolate PMD cores and ovs process cores. + - Fixes `bug 1662344 + <https://bugs.launchpad.net/tripleo/+bug/1662344>`__ by stopping + to set bind_address on nova db uri. + This reverts the changes in https://review.openstack.org/414629 for nova as + they are incompatible with cell_v2. + This is a temporary fix for HA while a long-term solution is developed. diff --git a/releasenotes/notes/composable-ha-37e2d7e1f57f5c10.yaml b/releasenotes/notes/composable-ha-37e2d7e1f57f5c10.yaml new file mode 100644 index 00000000..e560fe95 --- /dev/null +++ b/releasenotes/notes/composable-ha-37e2d7e1f57f5c10.yaml @@ -0,0 +1,12 @@ +--- +features: + - With the composable HA work landed it is now possible + to split pacemaker-managed services like galera, rabbit, + redis, haproxy and any A/P resource, off to dedicated + nodes. These services can be split off to separate nodes + either via the normal Pacemaker service (which has a limit + of 16 maximum number of nodes) or via the newer PacemakerRemote + service (but not both on the same node). Note that until + https://bugzilla.redhat.com/show_bug.cgi?id=1417936 is fixed, + PacemakerRemote should only be used for Cinder A/P resources + and Manila A/P resources. diff --git a/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml b/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml new file mode 100644 index 00000000..55062b04 --- /dev/null +++ b/releasenotes/notes/composable-upgrades-d9ec7c634365e8e0.yaml @@ -0,0 +1,14 @@ +--- +features: + - | + Composable service plugins now support two additional sections, + upgrade_tasks and upgrade_batch_tasks. These can be used by service + template authors to define the required behavior on upgrade as ansible + tasks, for both upgrades that require downtime, and rolling upgrades. + See puppet/services/README.rst for more details. +upgrade: + - | + Please refer to tripleo-docs for full details on the upgrade workflow + required for Newton to Ocata upgrades, as it's possible some steps are + different to previous releases: + http://docs.openstack.org/developer/tripleo-docs/post_deployment/upgrade.html diff --git a/releasenotes/notes/deployed-servers-fd47f18204cea105.yaml b/releasenotes/notes/deployed-servers-fd47f18204cea105.yaml new file mode 100644 index 00000000..d05b268c --- /dev/null +++ b/releasenotes/notes/deployed-servers-fd47f18204cea105.yaml @@ -0,0 +1,8 @@ +--- +features: + - It is now possible to deploy with tripleo-heat-templates using servers that + are already provisioned with an operating system, and not necessarily + provisioned with Nova and Ironic. This feature is enabled by making use of + the environments/deployed-server-environment.yaml environment file. For + more information, see + http://docs.openstack.org/developer/tripleo-docs/advanced_deployment/deployed_server.html diff --git a/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml b/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml new file mode 100644 index 00000000..edcc1250 --- /dev/null +++ b/releasenotes/notes/ha-by-default-55326e699ee8602c.yaml @@ -0,0 +1,5 @@ +--- +deprecations: + - The environments/puppet-pacemaker.yaml file is now deprecated and the HA + deployment is now the default. In order to get the non-HA deployment use + environments/nonha-arch.yaml explicitly. diff --git a/releasenotes/notes/ironic-cleaning-network-1e06881df0402221.yaml b/releasenotes/notes/ironic-cleaning-network-1e06881df0402221.yaml new file mode 100644 index 00000000..72601f9e --- /dev/null +++ b/releasenotes/notes/ironic-cleaning-network-1e06881df0402221.yaml @@ -0,0 +1,10 @@ +--- +features: + - | + New parameter "IronicCleaningNetwork" can be used to override the name + or UUID of the **overcloud** network Ironic uses for cleaning. +fixes: + - | + A default value is now provided for Ironic ``cleaning_network`` + configuration option. Not providing it on start up was deprecated since + Newton, and will result in a failure in the near future. diff --git a/releasenotes/notes/keystone_internal-53cc7b24ebdd9df4.yaml b/releasenotes/notes/keystone_internal-53cc7b24ebdd9df4.yaml new file mode 100644 index 00000000..1f41073b --- /dev/null +++ b/releasenotes/notes/keystone_internal-53cc7b24ebdd9df4.yaml @@ -0,0 +1,9 @@ +--- +other: + - | + Use Keystone internal endpoint instead of admin for services. + The admin endpoint is listening on the ctlplane network by default; + services should ideally be using the internal api network for this kind + of traffic, as the ctlplane network is mostly for provisioning. On the + other hand, the admin endpoint shouldn't be as relevant with services + switching to keystone v3. diff --git a/releasenotes/notes/memcached-max-memory-ef6834d17953fca6.yaml b/releasenotes/notes/memcached-max-memory-ef6834d17953fca6.yaml new file mode 100644 index 00000000..c14cefa0 --- /dev/null +++ b/releasenotes/notes/memcached-max-memory-ef6834d17953fca6.yaml @@ -0,0 +1,7 @@ +--- +features: + - | + Memcached max memory configuration is now exposed va MemcachedMaxMemory. +upgrade: + - | + Reduce the default memory configuration for memcached from 95% to 50%. diff --git a/releasenotes/notes/octavia-service-integration-03bd3eb6cfe1efaf.yaml b/releasenotes/notes/octavia-service-integration-03bd3eb6cfe1efaf.yaml new file mode 100644 index 00000000..bd8d3562 --- /dev/null +++ b/releasenotes/notes/octavia-service-integration-03bd3eb6cfe1efaf.yaml @@ -0,0 +1,4 @@ +--- +features: + - | + Added initial support for deploying the Octavia services in the overcloud. diff --git a/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml new file mode 100644 index 00000000..1949e4fe --- /dev/null +++ b/releasenotes/notes/puppet-auditd-6504295e8c6c7a3b.yaml @@ -0,0 +1,9 @@ +--- +features: + - | + Adds the ability to manage auditd.service and enter audit.rules via tripleo + heat templates. This in turn enforces an audit log of system events, such + as system time changes, modifications to Discretionary Access Controls, + Failed login attempts. + + diff --git a/roles_data.yaml b/roles_data.yaml index d6c03cb9..31b12986 100644 --- a/roles_data.yaml +++ b/roles_data.yaml @@ -17,6 +17,10 @@ # disable_constraints: (boolean) optional, whether to disable Nova and Glance # constraints for each role specified in the templates. # +# upgrade_batch_size: (number): batch size for upgrades where tasks are +# specified by services to run in batches vs all nodes at once. +# This defaults to 1, but larger batches may be specified here. +# # ServicesDefault: (list) optional default list of services to be deployed # on the role, defaults to an empty list. Sets the default for the # {{role.name}}Services parameter in overcloud.yaml @@ -28,11 +32,13 @@ - OS::TripleO::Services::CephMds - OS::TripleO::Services::CephMon - OS::TripleO::Services::CephExternal + - OS::TripleO::Services::CephRbdMirror - OS::TripleO::Services::CephRgw - OS::TripleO::Services::CinderApi - OS::TripleO::Services::CinderBackup - OS::TripleO::Services::CinderScheduler - OS::TripleO::Services::CinderVolume + - OS::TripleO::Services::Congress - OS::TripleO::Services::Kernel - OS::TripleO::Services::Keystone - OS::TripleO::Services::GlanceApi @@ -61,11 +67,13 @@ - OS::TripleO::Services::NovaScheduler - OS::TripleO::Services::NovaConsoleauth - OS::TripleO::Services::NovaVncProxy + - OS::TripleO::Services::Ec2Api - OS::TripleO::Services::Ntp - OS::TripleO::Services::SwiftProxy - OS::TripleO::Services::SwiftStorage - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::CeilometerApi - OS::TripleO::Services::CeilometerCollector @@ -97,17 +105,26 @@ - OS::TripleO::Services::OpenDaylightOvs - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::Collectd - OS::TripleO::Services::BarbicanApi - OS::TripleO::Services::PankoApi + - OS::TripleO::Services::Tacker - OS::TripleO::Services::Zaqar - OS::TripleO::Services::OVNDBs - OS::TripleO::Services::NeutronML2FujitsuCfab + - OS::TripleO::Services::NeutronML2FujitsuFossw - OS::TripleO::Services::CinderHPELeftHandISCSI - OS::TripleO::Services::Etcd + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::OctaviaApi + - OS::TripleO::Services::OctaviaHealthManager + - OS::TripleO::Services::OctaviaHousekeeping + - OS::TripleO::Services::OctaviaWorker - name: Compute CountDefault: 1 HostnameFormatDefault: '%stackname%-novacompute-%index%' + disable_upgrade_deployment: True ServicesDefault: - OS::TripleO::Services::CACerts - OS::TripleO::Services::CephClient @@ -115,6 +132,7 @@ - OS::TripleO::Services::Timezone - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::NovaCompute - OS::TripleO::Services::NovaLibvirt - OS::TripleO::Services::Kernel @@ -129,6 +147,8 @@ - OS::TripleO::Services::OpenDaylightOvs - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd - name: BlockStorage ServicesDefault: @@ -138,12 +158,16 @@ - OS::TripleO::Services::Ntp - OS::TripleO::Services::Timezone - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd - name: ObjectStorage + disable_upgrade_deployment: True ServicesDefault: - OS::TripleO::Services::CACerts - OS::TripleO::Services::Kernel @@ -151,11 +175,14 @@ - OS::TripleO::Services::SwiftStorage - OS::TripleO::Services::SwiftRingBuilder - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd - name: CephStorage ServicesDefault: @@ -164,8 +191,11 @@ - OS::TripleO::Services::Kernel - OS::TripleO::Services::Ntp - OS::TripleO::Services::Snmp + - OS::TripleO::Services::Sshd - OS::TripleO::Services::Timezone - OS::TripleO::Services::TripleoPackages - OS::TripleO::Services::TripleoFirewall - OS::TripleO::Services::SensuClient - OS::TripleO::Services::FluentdClient + - OS::TripleO::Services::AuditD + - OS::TripleO::Services::Collectd diff --git a/test-requirements.txt b/test-requirements.txt index 06bce5a2..1c9e3b42 100644 --- a/test-requirements.txt +++ b/test-requirements.txt @@ -4,6 +4,6 @@ PyYAML>=3.10.0 # MIT Jinja2!=2.9.0,!=2.9.1,!=2.9.2,!=2.9.3,!=2.9.4,>=2.8 # BSD License (3 clause) six>=1.9.0 # MIT -sphinx!=1.3b1,<1.4,>=1.2.1 # BSD +sphinx>=1.5.1 # BSD oslosphinx>=4.7.0 # Apache-2.0 reno>=1.8.0 # Apache-2.0 diff --git a/tools/process-templates.py b/tools/process-templates.py index 9a06812b..1c8c4ba6 100755 --- a/tools/process-templates.py +++ b/tools/process-templates.py @@ -14,10 +14,13 @@ import argparse import jinja2 import os +import shutil import six import sys import yaml +__tht_root_dir = os.path.dirname(os.path.dirname(__file__)) + def parse_opts(argv): parser = argparse.ArgumentParser( @@ -33,6 +36,9 @@ def parse_opts(argv): action='store_true', help="""Enable safe mode (do not overwrite files).""", default=False) + parser.add_argument('-o', '--output-dir', metavar='OUTPUT_DIR', + help="""Output dir for all the templates""", + default='') opts = parser.parse_args(argv[1:]) return opts @@ -47,9 +53,14 @@ def _j2_render_to_file(j2_template, j2_data, outfile_name=None, print('ERROR: path already exists for file: %s' % outfile_name) sys.exit(1) + # Search for templates relative to the current template path first + template_base = os.path.dirname(yaml_f) + j2_loader = jinja2.loaders.FileSystemLoader([template_base, __tht_root_dir]) + try: # Render the j2 template - template = jinja2.Environment().from_string(j2_template) + template = jinja2.Environment(loader=j2_loader).from_string( + j2_template) r_template = template.render(**j2_data) except jinja2.exceptions.TemplateError as ex: error_msg = ("Error rendering template %s : %s" @@ -60,7 +71,7 @@ def _j2_render_to_file(j2_template, j2_data, outfile_name=None, out_f.write(r_template) -def process_templates(template_path, role_data_path, overwrite): +def process_templates(template_path, role_data_path, output_dir, overwrite): with open(role_data_path) as role_data_file: role_data = yaml.safe_load(role_data_file) @@ -69,6 +80,11 @@ def process_templates(template_path, role_data_path, overwrite): with open(j2_excludes_path) as role_data_file: j2_excludes = yaml.safe_load(role_data_file) + if output_dir and not os.path.isdir(output_dir): + if os.path.exists(output_dir): + raise RuntimeError('Output dir %s is not a directory' % output_dir) + os.mkdir(output_dir) + role_names = [r.get('name') for r in role_data] r_map = {} for r in role_data: @@ -78,6 +94,29 @@ def process_templates(template_path, role_data_path, overwrite): if os.path.isdir(template_path): for subdir, dirs, files in os.walk(template_path): + + # NOTE(flaper87): Ignore hidden dirs as we don't + # generate templates for those. + # Note the slice assigment for `dirs` is necessary + # because we need to modify the *elements* in the + # dirs list rather than the reference to the list. + # This way we'll make sure os.walk will iterate over + # the shrunk list. os.walk doesn't have an API for + # filtering dirs at this point. + dirs[:] = [d for d in dirs if not d[0] == '.'] + files = [f for f in files if not f[0] == '.'] + + # NOTE(flaper87): We could have used shutil.copytree + # but it requires the dst dir to not be present. This + # approach is safer as it doesn't require us to delete + # the output_dir in advance and it allows for running + # the command multiple times with the same output_dir. + out_dir = subdir + if output_dir: + out_dir = os.path.join(output_dir, subdir) + if not os.path.exists(out_dir): + os.mkdir(out_dir) + for f in files: file_path = os.path.join(subdir, f) # We do two templating passes here: @@ -101,7 +140,7 @@ def process_templates(template_path, role_data_path, overwrite): [role.lower(), os.path.basename(f).replace('.role.j2.yaml', '.yaml')]) - out_f_path = os.path.join(subdir, out_f) + out_f_path = os.path.join(out_dir, out_f) if not (out_f_path in excl_templates): _j2_render_to_file(template_data, j2_data, out_f_path, overwrite) @@ -112,9 +151,12 @@ def process_templates(template_path, role_data_path, overwrite): with open(file_path) as j2_template: template_data = j2_template.read() j2_data = {'roles': role_data} - out_f = file_path.replace('.j2.yaml', '.yaml') - _j2_render_to_file(template_data, j2_data, out_f, + out_f = os.path.basename(f).replace('.j2.yaml', '.yaml') + out_f_path = os.path.join(out_dir, out_f) + _j2_render_to_file(template_data, j2_data, out_f_path, overwrite) + elif output_dir: + shutil.copy(os.path.join(subdir, f), out_dir) else: print('Unexpected argument %s' % template_path) @@ -123,4 +165,4 @@ opts = parse_opts(sys.argv) role_data_path = os.path.join(opts.base_path, opts.roles_data) -process_templates(opts.base_path, role_data_path, (not opts.safe)) +process_templates(opts.base_path, role_data_path, opts.output_dir, (not opts.safe)) diff --git a/tools/yaml-validate.py b/tools/yaml-validate.py index 63e3ce51..0eacbc60 100755 --- a/tools/yaml-validate.py +++ b/tools/yaml-validate.py @@ -66,7 +66,10 @@ def validate_mysql_connection(settings): def validate_mysql_uri(key, items): # Only consider a connection if it targets mysql - if key.endswith('connection') and \ + # TODO(owalsh): skip nova mysql uris,temporary workaround for + # tripleo/+bug/1662344 + if not key.startswith('nova') and \ + key.endswith('connection') and \ search(items, mysql_protocol, no_op): # Assume the "bind_address" option is one of # the token that made up the uri @@ -94,10 +97,6 @@ def validate_mysql_connection(settings): def validate_service(filename, tpl): - if 'heat_template_version' in tpl and not str(tpl['heat_template_version']).isalpha(): - print('ERROR: heat_template_version needs to be the release alias not a date: %s' - % filename) - return 1 if 'outputs' in tpl and 'role_data' in tpl['outputs']: if 'value' not in tpl['outputs']['role_data']: print('ERROR: invalid role_data for filename: %s' @@ -135,6 +134,13 @@ def validate(filename): try: tpl = yaml.load(open(filename).read()) + # The template alias version should be used instead a date, this validation + # will be applied to all templates not just for those in the services folder. + if 'heat_template_version' in tpl and not str(tpl['heat_template_version']).isalpha(): + print('ERROR: heat_template_version needs to be the release alias not a date: %s' + % filename) + return 1 + if (filename.startswith('./puppet/services/') and filename != './puppet/services/services.yaml'): retval = validate_service(filename, tpl) @@ -196,8 +202,8 @@ if base_endpoint_map and \ matches = validate_endpoint_map(base_endpoint_map, env_endpoint_map['map']) if not matches: - print("ERROR: %s doesn't match base endpoint map" % - env_endpoint_map['file']) + print("ERROR: %s needs to be updated to match changes in base " + "endpoint map" % env_endpoint_map['file']) failed_files.append(env_endpoint_map['file']) exit_val |= 1 else: @@ -13,6 +13,7 @@ commands = {posargs} [testenv:pep8] commands = python ./tools/process-templates.py + python ./network/endpoints/build_endpoint_map.py --check python ./tools/yaml-validate.py . [testenv:templates] |